Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana Labs confirmed a breach limited to its GitHub environment on May 19, 2026, with no evidence of customer production systems or operations compromised. The incident exposed public and private source code stored in internal GitHub repositories.

The breach connects to a TanStack npm package attack, where threat actors obtained Grafana credentials and leveraged them to access the company's GitHub infrastructure. Attackers did not penetrate production environments, customer data systems, or operational technology behind Grafana's services.

Grafana's investigation revealed the attack vector involved compromised credentials rather than zero-day exploits or direct infrastructure compromise. The exposure centered on intellectual property and development artifacts in version control systems. This distinction matters for customers relying on Grafana for monitoring and observability. Their data, dashboards, and alerts remained untouched.

The incident highlights a persistent threat pattern. Developers rely on npm and other package repositories for dependencies. When attackers compromise legitimate packages or developer accounts, they gain footholds into organizational networks. The TanStack supply chain vector provided initial access, which attackers then weaponized to target Grafana's GitHub presence.

Organizations using Grafana should audit their authentication logs and rotate any stored credentials or API tokens. The exposure of source code carries downstream risks. Developers hardcoding secrets, API keys, or configuration details in repositories face heightened vulnerability to exploitation. Grafana users should review public repositories and documentation for accidentally exposed credentials.

Grafana recommends customers rotate authentication credentials as a precaution and monitor for unauthorized access attempts. The company plans security enhancements to prevent similar GitHub-targeted attacks. No CVEs were assigned because the breach did not exploit code vulnerabilities but rather credential compromise.

This incident demonstrates that even infrastructure-focused companies with strong security practices remain vulnerable to supply chain and credential-based attacks. The separation between source code exposure and production system compromise provided limited