This weekend, we confirmed a targeted attack by a cybercrime group that gained unauthorized access to our GitHub repositories and downloaded our codebase. 

Grafana Labs CISO Joe McManus has published a blog post that provides the latest update about our investigations. Copied and pasted below....

On May 16, 2026, Grafana Labs confirmed a targeted attack by a cybercrime group that gained unauthorized access to our GitHub repositories and downloaded our codebase. They then issued a ransom demand under threat of data disclosure. 

Since we posted our initial findings that day, our investigation has continued, and we are publishing this blog to share more details about our incident response and mitigation. A post-incident report will be published when our investigation is complete.

To date, the investigation has found no evidence that customer production systems or operations have been compromised. This incident was strictly limited to the Grafana Labs GitHub environment and did not affect our production systems or the Grafana Cloud platform.

After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business. This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform. 

To be clear to the users of Grafana Labs' open source projects and the Grafana Cloud platform: our codebase was downloaded, but it was not altered. No action is needed from our customers or open source users at this time.

Our investigation is ongoing as we continue to review logs, telemetry, and all available data within our company-wide GitHub repos. Should we ever determine that any customer's systems or operations are impacted, we will notify them directly.

At Grafana Labs, earning and maintaining our community’s trust is foundational to everything we do. We recognize that customers rely on us as a trusted partner, and we do not take that responsibility lightly. We are sharing this update in the spirit of transparency because we understand you may have questions and because we take this matter seriously.

Summary and background

The incident originated from a TanStack npm supply chain attack via the Mini Shai-Hulud campaign. We detected the malicious activity on May 11 and immediately initiated our incident response plan. 

We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories. A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.

On May 16, we received a demand from a bad actor for a ransom payment to prevent the release of our codebase. Grafana Labs determined the appropriate path forward is not to pay the ransom. This decision aligns with the FBI’s formal position that paying a ransom does not guarantee security and only serves to incentivize further criminal enterprise.

As soon as we were contacted by the ransom gang, we launched mitigation efforts, which have included rotating automation tokens, implementing enhanced monitoring, auditing all commits since the May 11 incident, and significantly hardening our GitHub security posture.

We have also notified federal law enforcement and will maintain an ongoing dialogue with them about the situation.  

Impact and response

Current findings indicate the scope of this incident is limited to the Grafana Labs GitHub repositories, which include public and private source code along with internal GitHub repos. 

There is no evidence that customer production systems or operations have been compromised. 

As part of our standard security practices, we will share additional information from our post-incident review when our investigation is complete.

Grafana Labs is also taking steps to increase security measures to protect our systems. We are currently implementing significant measures to further secure our CI/CD (continuous integration and continuous deployment) pipelines and prevent a recurrence of this type of issue.

Our teams remain focused on the continued investigation and the deployment of increased security controls.

Just saw these on their Instagram. Has anyone else seen them when visiting?

First for me, and now I must go back and relive those millennial mustache days.

Hey r/grafana — as a mod, I see firsthand how many of you show up in this community — answering questions, sharing configs, helping people debug their dashboards at all hours.

If this sounds like you, I wanna make sure you know about the Grafana Champions program.

The Champions program is Grafana Labs' way of officially recognizing and supporting the people who make communities like this one actually useful. Consistently answering questions (OSS, Cloud, LGTM+ Stack), sharing knowledge, and helping other users on Reddit — that counts.

Being a Champion comes with real perks:

• Champions swag
• Private product previews and early access opportunities
• Access to a private Champions community
• Official Credly badge
• Direct access to Grafana Labs teams

If you've been actively contributing here or answering questions about Grafana, the LGTM+ Stack, etc. in other subreddits, I'd genuinely encourage you to throw your name in.

Apply here: https://grafana.com/community/champions/

We also have an Emerging Champions program for folks who are active Grafana users and community members, but want to continue shaping their leadership before becoming a Grafana Champion and receive mentorship from our DevRel team.

Emerging Champions participants will secure an invitation to join the Grafana Champions network.

This upcoming cohort will run from June - Oct 2026. Applications are being accepted from now until May 25, 2026: https://docs.google.com/forms/d/e/1FAIpQLSck9kEPrqber04mxqcX9OU1ZbKU7dUMJFET1Vzd_RMLRlaL5A/viewform?usp=sharing&ouid=115119986954908309518

"As part of the GrafanaCON 2026 keynote, we announced that access to Assistant now extends to Grafana Enterprise and Grafana OSS users. This makes Assistant available in your self-managed environment to help you analyze telemetry data and code in real time, build dashboards, ask questions, and more. 

Self-managed Grafana users can create a Grafana Cloud account and connect it to their Grafana installation via a one-click setup. The assistant is included in the Grafana Cloud forever free plan with generous limits so that you can get started right away. You can also watch the video to see how easy it is to get started.

How it works

Assistant runs as a plugin in your Grafana instance. Your raw observability data stays in your instance, and only processed summaries and results are transmitted using our custom tooling architecture. The assistant also "shows its work" by displaying the full conversation history. Any errors or warnings from tool usage are fed back into the conversation, allowing Assistant to iterate and correct mistakes. 

For more information, check out our Assistant docs. You can also get important details on our pricing page, including what's available in our generous free tier.

Customize Assistant for your unique needs

Every organization's observability strategy and workflows are different, so we also want to make sure Assistant can be tailored to your needs. That's why we're excited to make Assistant skills generally available.

Skills are documents you create to guide Assistant agents with instructions, context, and specialized knowledge. They essentially help you encode how your team troubleshoots services, handles specific alerts, and manages shared infrastructure. 

Skills now include a new auto-approve feature you can use to write your runbooks, connect to other tools (e.g., GitHub, Cloudflare, other observability platforms, etc.), and auto-approve tool calls of your choice.

When you pair auto-approve with Assistant Investigations, which helps with multi-step investigations, you can even create your own auto-remediation pipeline that’s triggered from an alert. The result? Pretty much anything you need, from raising a PR in GitHub or GitLab to sending a Slack message to someone to assigning a task in Notion.

Stay on top of everything with automations

Observability teams have a lot to keep track of, and that's only increasing now that agents are becoming central to software development. To help you stay on top of everything, we're introducing Assistant automations, which you can use to get automatic summaries of what's happening in your environment.

By pairing automations with skills, you can trigger Assistant to handle any task at any time, with or without you. Want a daily report of all alerts that fired yesterday? A rundown of incidents that were resolved last week? The error rate in your product catalog or whether the latest deployments changed p99? Simply connect to our available integrations or any API, write a skill, and you can get full analyses about these or any other questions you have about your stack and its performance. 

Say 'hello' to Assistant outside of Grafana Cloud

You have your own way of interacting with your systems and your teammates, and odds are that's not done entirely through Grafana Cloud. We want to meet you where you are, so we're expanding the ways you can access Assistant, whether that's through Slack, Microsoft Teams, an API, or the CLI. 

For example, you can now build automations with the Assistant CLI, chat with colleagues and the Assistant in Slack, have Claude Code or Codex collaborate with the Assistant via the CLI, or make requests from a remote machine to the Assistant.

This is all about finding new ways to integrate Assistant into your workflows, rather than forcing you into our UI. Make Assistant work the way that works for you and stop getting slowed down by constant context switching.

Bring your own agent: remote hosted MCP server and our new gcx CLI tool

In addition to bringing Assistant to you, you can now bring more to Assistant. With our new remote hosted MCP server and the new gcx CLI tool, your agents can talk to Assistant, Grafana Cloud, or both.

Use the remote hosted MCP server to connect any agent to the same sophisticated tools that Assistant uses in Grafana Cloud. You don't need to install any dependencies; just point your agent at mcp.grafana.com/mcp to get access to your metrics, logs, traces, dashboards, alerts, incidents, and more. This also allows you to connect other cloud agents to Grafana Cloud if you want to build your own assistant.

If you prefer a local-first approach, gcx unifies grafanactl and the Assistant CLI with agent-first, new CLI tools to your command line and your agentic coding environment. It connects your editor to your entire production stack so your agent can write code that's observability-aware from the start. Instrument a new service, investigate a firing alert, or draft a fix informed by real production data—all without leaving your editor.

Connect any API with Assistant

And don't forget that Assistant can use the Infinity data source to send any GET or POST requests to any publicly or privately available API endpoint. This recent upgrade makes Assistant the center of your DevOps lifecycle, helping you connect it to any other tool, correlate any data, and remediate faster than ever. Or use the capability to check if you caught all Pokémon yet.

More ways to take your Assistant experience to the next level

We're excited for you to try these new features that expand the reach of Assistant, but this isn't everything. We're constantly looking for new ways to improve Assistant to help you improve your observability practices. Here are just some of the other updates we recently released: 

• The new workspace view, which brings Assistant into full-page mode so you can browse your chats and supporting data in one view
• Learn mode, which helps you quickly get up to speed on Grafana Assistant with tutorials and example tasks that are personalized to your stack 
• Reworked context management and infrastructure memories for your stack help so Assistant knows where to look from the start 
• EU inference for our European customers
• A Python runtime for Assistant to process large amounts of data
• Integrations with 15 other Grafana Cloud services or features and more than 50 third-party data sources

For more information on this and all the other exciting updates from GrafanaCON 2026, check out our announcement blog for all the news. And for more information on Grafana Cloud AI, including FAQs about Assistant and our other AI capabilities, check out our AI observability page."