Grafana Labs, the company behind one of the most widely deployed open-source observability platforms in the world, has confirmed it was targeted by a ransomware extortion campaign after threat actors exploited the TanStack npm supply chain attack, a campaign researchers have labelled “Mini Shai-Hulud”, to gain unauthorised access to the company’s GitHub repositories. Grafana Labs detected the malicious activity on 11 May 2026 and immediately initiated incident response procedures, rotating a significant number of GitHub workflow tokens as part of the initial containment effort. However, a single missed token proved to be the critical gap: attackers used it to access the company’s GitHub environment, downloading both public and private source code repositories as well as internal operational repositories containing business contact information and email addresses. On 16 May, the threat actors issued a ransom demand under threat of public disclosure, which Grafana Labs declined to pay — a decision the company explicitly aligned with the FBI’s formal position that paying ransoms does not guarantee security and serves only to fund further criminal activity.
The confirmed scope of the incident is limited to the Grafana Labs GitHub environment and does not extend to production systems or the Grafana Cloud platform. Critically, the downloaded source code was not altered, meaning users of Grafana’s open-source projects and cloud platform do not need to take any immediate action in response to this specific incident. That distinction matters: a supply chain attack that modifies code is categorically more dangerous than one that exfiltrates it, because tampered code can be distributed silently to every downstream user before anyone detects the change. Grafana Labs has confirmed it audited all commits since the 11 May incident to verify code integrity, and has since rotated automation tokens, implemented enhanced monitoring, and significantly hardened its GitHub security posture, including strengthening controls across its CI/CD pipelines.
This incident is the latest in a series of high-profile compromises stemming from the TanStack npm supply chain attack, which has now claimed both OpenAI and Grafana Labs as confirmed victims within days of each other.