Dateline: May 18, 2026
How a Canary Token Saved Grafana from a Quiet Codebase Heist
A stolen token. A quietly downloaded codebase. A ransom demand sent in the dark. And a public refusal that landed before the criminals could finish writing their threat. That’s the short version of the Grafana GitHub token breach, which the observability company disclosed on May 16, 2026. The longer version is a textbook lesson in how a single misconfigured workflow can hand attackers the keys to your private repositories, and why thousands of companies running CI/CD pipelines should be reading this with their workflow files open.
What Happened?
According to Grafana Labs’ disclosure on May 16, 2026, an unauthorized party obtained a token granting access to its GitHub environment, enabling the threat actor to download its codebase. The intrusion was caught because one of thousands of canary tokens Grafana had seeded across its environment was triggered, a deliberately planted fake credential designed to fire an alert the moment anyone touches it.
The root cause was a freshly enabled GitHub Action carrying a “Pwn Request” misconfiguration. The attacker forked a Grafana repository, injected malicious code via a curl command, and dumped environment variables to a file encrypted with a private key, then extracted the privileged token, raided four more private repositories, and deleted the fork to cover their tracks.
Reports from Hackmanac and Ransomware.live indicate that a cybercrime group named CoinbaseCartel has claimed responsibility, assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems.
After grabbing the code, the attacker demanded payment to keep it private. Grafana said no, citing FBI guidance that “paying a ransom doesn’t guarantee you or your organization will get any data back” and only “offers an incentive for others to get involved in this type of illegal activity”.
The Impact
For Grafana customers, the news is good. The investigation confirmed that no customer data or personal information was accessed, and there is no evidence of impact to customer systems or operations. Compromised credentials were invalidated, the bad workflow was ripped out, and public-repo workflows were temporarily disabled.
For everyone else, the takeaway is uglier. The pull_request_target trigger sits inside the default behavior of a feature thousands of open-source projects use to run CI checks on community contributions.
Security researchers noted that the attack vector, a misconfigured pull_request_target workflow, is a widely underestimated attack surface across the open-source ecosystem. Translation: if your repo accepts pull requests from forks and runs them with elevated permissions, you’re one well-crafted PR away from a very bad week.
How to Avoid This
A few practical moves, none of them exotic:
- Audit every .github/workflows file for pull_request_target. If found, confirm it does not check out and execute code from the pull request itself.
- Swap static credentials for OIDC token authentication wherever possible.
- Pin third-party GitHub Actions to a specific commit SHA, not a floating tag.
- Plant canary tokens inside build environments. Grafana’s whole detection story exists because they did this.
- Apply least-privilege scoping to every workflow token, and rotate them on a schedule.
Catch Token Theft Before the Extortion Email Arrives
Most companies find out about a stolen token the way Grafana almost did: too late. Secure.com’s Digital Security Teammates watch the places attackers actually go.
- Secret scanning that blocks the commit, not the post-mortem. Hardcoded keys flagged pre-merge, with rotation triggered automatically.
- CI/CD pipeline misconfiguration detection across SAST, DAST, IaC, and SCA, so a bad workflow gets caught before it ships.
- Identity and access governance with privilege escalation detection, so a stolen token can’t quietly sweep four more repos.
- Real-time SIEM correlation that connects an odd API call to a downstream codebase pull in seconds, not days.
- Audit-ready evidence of every action your teammates take, so disclosure (if it ever comes) is a click, not a scramble.
