GoKawiilThe Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack last week.
In the ongoing Shai-Hulud malware campaign attributed to TeamPCP hackers, dozens of TanStack packages infected with credential-stealing code were published on the npm index, compromising developer environments, including Grafana's.
When the malicious npm package was released, Grafana’s CI/CD workflow consumed it, and the info-stealer module executed in its GitHub environment, exfiltrating GitHub workflow tokens to the attackers.
The company explains that it detected malicious activity resulting from compromised TanStack packages on May 1, and immediately deployed the incident response plan, which included rotating GitHub workflow tokens.
However, one token was missed in the process, and the attacker used it to gain access to the company's private repositories.
“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,” reads Grafana’s update.
“A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.”
Previously, the company confirmed that the intruders stole source code, assuring there was no customer impact, and stating that the hackers would not receive a ransom payment.
The continued investigation revealed that the intruder also downloaded operational information and details Grafana uses for its business.
"This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform" - Grafana
... continue reading