Grafana: Source-code leak via attack on TanStack npm package — a supply-chain lesson

Colleagues, a cybersecurity alert: Grafana Labs confirmed that source code and internal repositories were exposed following an attack via the TanStack npm package.
- The company said the compromise was confined to its GitHub environment: public and private code, active repositories and business contacts were accessed.
- The attack is linked to the TeamPCP campaign; activity was observed on 11 May, a ransom demand on 16 May; no payment was made.
- Root cause was a leaked GitHub workflow token. Tokens were rotated, monitoring strengthened and commits audited.
Why it matters: the incident underlines supply-chain risk and CI/CD automation vulnerabilities.
How do you protect CI/CD and secrets?
#cybersecurity #supplychain #DevOps #GitHub


Latest comments
No comments yet.