{"id":255632,"date":"2026-05-21T04:00:00","date_gmt":"2026-05-21T08:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/grafana-labs-says-code-breach-stemmed-from-tanstack-attack\/"},"modified":"2026-05-26T06:40:10","modified_gmt":"2026-05-26T10:40:10","slug":"grafana-labs-says-code-breach-stemmed-from-tanstack-attack","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/grafana-labs-says-code-breach-stemmed-from-tanstack-attack\/","title":{"rendered":"Grafana Labs Says Code Breach Stemmed from TanStack Attack"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/grafana-labs-code-breach-tanstack\/\">Grafana Labs Says Code Breach Stemmed from TanStack Attack<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/grafana-labs-code-breach-tanstack\/\">https:\/\/www.infosecurity-magazine.com\/news\/grafana-labs-code-breach-tanstack\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-21 04:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A popular developer of open source analytics software has revealed that a recent data breach and extortion incident was caused by the Mini Shai-Hulud campaign which compromised TanStack packages.<\/p>\n<p>Grafana Labs, which makes the AI-powered visualization app Grafana, said on May 17 that it had discovered an unauthorized attacker had downloaded its codebase after accessing the firm\u2019s GitHub environment.<\/p>\n<p>In an update this week, the developer shared more about the incident, revealing that it first spotted the malicious activity on May 11 and tied it to the TanStack supply chain attacks.<\/p>\n<p>TeamPCP threat actors compromised dozens of TanStack npm packages with credential-stealing malware targeting CI\/CD environments including GitHub Actions.<\/p>\n<p>This\u00a0meant that\u00a0when a malicious package was released, Grafana\u2019s CI\/CD environment automatically consumed it and the infostealer executed to exfiltrate GitHub workflow tokens.<\/p>\n<p>\u201cWe performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,\u201d Grafana admitted. \u201cA subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.\u201d<\/p>\n<p>Read more on Shai-Hulud: Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem<\/p>\n<p>\u201cAs soon as we were contacted by the ransom gang, we launched mitigation efforts, which have included rotating automation tokens, implementing enhanced monitoring, auditing all commits since the May 11 incident, and significantly hardening our GitHub security posture,\u201d Grafana continued.<\/p>\n<p>Grafana Labs also shared that additional \u201cinternal operational information and other details\u201d were taken by TeamPCP from its GitHub repositories, alongside the firm\u2019s codebase.<\/p>\n<p>\u201cThis includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/grafana-labs-code-breach-tanstack\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Grafana Labs Says Code Breach Stemmed from TanStack Attack https:\/\/www.infosecurity-magazine.com\/news\/grafana-labs-code-breach-tanstack\/ Publish Date: 2026-05-21 04:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":255633,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/1efc8a24-03c2-4fa0-a024-81104871022e.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,36,32],"class_list":["post-255632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-infostealer","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/255632"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=255632"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/255632\/revisions"}],"predecessor-version":[{"id":255634,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/255632\/revisions\/255634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/255633"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=255632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=255632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=255632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}