This weekend, we confirmed a targeted attack by a cybercrime group that gained unauthorized access to our GitHub repositories and downloaded our codebase. 

Grafana Labs CISO Joe McManus has published a blog post that provides the latest update about our investigations. Copied and pasted below....

On May 16, 2026, Grafana Labs confirmed a targeted attack by a cybercrime group that gained unauthorized access to our GitHub repositories and downloaded our codebase. They then issued a ransom demand under threat of data disclosure. 

Since we posted our initial findings that day, our investigation has continued, and we are publishing this blog to share more details about our incident response and mitigation. A post-incident report will be published when our investigation is complete.

To date, the investigation has found no evidence that customer production systems or operations have been compromised. This incident was strictly limited to the Grafana Labs GitHub environment and did not affect our production systems or the Grafana Cloud platform.

After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business. This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform. 

To be clear to the users of Grafana Labs' open source projects and the Grafana Cloud platform: our codebase was downloaded, but it was not altered. No action is needed from our customers or open source users at this time.

Our investigation is ongoing as we continue to review logs, telemetry, and all available data within our company-wide GitHub repos. Should we ever determine that any customer's systems or operations are impacted, we will notify them directly.

At Grafana Labs, earning and maintaining our community’s trust is foundational to everything we do. We recognize that customers rely on us as a trusted partner, and we do not take that responsibility lightly. We are sharing this update in the spirit of transparency because we understand you may have questions and because we take this matter seriously.

Summary and background

The incident originated from a TanStack npm supply chain attack via the Mini Shai-Hulud campaign. We detected the malicious activity on May 11 and immediately initiated our incident response plan. 

We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories. A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.

On May 16, we received a demand from a bad actor for a ransom payment to prevent the release of our codebase. Grafana Labs determined the appropriate path forward is not to pay the ransom. This decision aligns with the FBI’s formal position that paying a ransom does not guarantee security and only serves to incentivize further criminal enterprise.

As soon as we were contacted by the ransom gang, we launched mitigation efforts, which have included rotating automation tokens, implementing enhanced monitoring, auditing all commits since the May 11 incident, and significantly hardening our GitHub security posture.

We have also notified federal law enforcement and will maintain an ongoing dialogue with them about the situation.  

Impact and response

Current findings indicate the scope of this incident is limited to the Grafana Labs GitHub repositories, which include public and private source code along with internal GitHub repos. 

There is no evidence that customer production systems or operations have been compromised. 

As part of our standard security practices, we will share additional information from our post-incident review when our investigation is complete.

Grafana Labs is also taking steps to increase security measures to protect our systems. We are currently implementing significant measures to further secure our CI/CD (continuous integration and continuous deployment) pipelines and prevent a recurrence of this type of issue.

Our teams remain focused on the continued investigation and the deployment of increased security controls.

Grafana Loki was recommended to me for centralized logging and so I set up Loki using the provided sample files here: https://grafana.com/docs/loki/latest/setup/install/docker/#install-with-docker-compose but looking at it I don't understand the need for three different Loki containers. Which ones do I actually need? And how do I have Loki use standard filesystem storage instead of minio?

I added dedicated AWS / EKS support to KubeShark.

Mini recap:

KubeShark is my Kubernetes skill for Claude Code and Codex.

It helps AI agents generate, review, and refactor Kubernetes manifests without falling into the usual LLM traps: missing security contexts, deprecated API versions, broken selectors, wildcard RBAC, unsafe probes, missing resource requests, and rollout configs that look okay but fail under real traffic.

The important part is that KubeShark is failure-mode-first. It does not just tell the model “write good Kubernetes”. It forces the model to reason about what can go wrong before it generates YAML, and then return validation and rollback guidance as part of the answer.

That matters a lot with Kubernetes, because many bad manifests are accepted by the API server and only fail later at runtime.

Repo: https://github.com/LukasNiessen/kubernetes-skill

---

Now what’s new:

KubeShark now has special dedicated AWS / EKS support.

When the task involves EKS, AWS, IRSA, EKS Pod Identity, AWS Load Balancer Controller, EBS/EFS CSI, AWS VPC CNI, or Karpenter, KubeShark switches into EKS-aware guidance.

That matters because EKS is “just Kubernetes” until identity, load balancing, storage, pod networking, and node provisioning enter the picture.

Common LLM mistakes include:

• putting AWS access keys into Kubernetes Secrets
• mixing IRSA and EKS Pod Identity assumptions
• using nginx annotations with AWS Load Balancer Controller
• treating EBS like ReadWriteMany storage
• recommending Karpenter while omitting resource requests
• assuming NetworkPolicy works without checking the CNI/policy engine

Example guidance KubeShark now keeps in mind:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: app
  namespace: payments
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/payments-app

It also knows that EBS is usually RWO and zone-sensitive, EFS is the RWX option, and Karpenter depends heavily on good workload requests.

So instead of generic Kubernetes advice, you get EKS-aware manifest generation and review.

Hey everyone, I aggregated and curated all public Grafana CVEs into a single, high-speed Python script to make testing mass targets easier for bug hunters and red teamers. Zero dependencies, clean terminal output, and ready for automation.
github: https://github.com/Zierax/Grafana-Final-Scanner

I just open-sourced a collection of ready-to-run OpenTelemetry

Collector configurations, because finding complete, working configs

for your specific backend always takes hours of trial and error.

It now includes examples for:

• Prometheus
• Jaeger
• Grafana Loki
• Dynatrace
• Datadog
• Kubernetes Operator
• Kubernetes Pod Annotation Scraping (with full relabeling)
• Debug (no backend needed, perfect for local dev)

Each example includes Docker Compose so you can run it in 60 seconds.

The k8s pod annotation scraping example includes relabeling for

prometheus.io/scrape, prometheus.io/port, and prometheus.io/path

annotations, the config everyone googles when setting up k8s monitoring.

I also actively contribute to the OpenTelemetry open source project,

recently got PRs merged into open-telemetry/otel-arrow and have PRs

open in opentelemetry-android, opentelemetry-helm-charts, and

opentelemetry-dotnet-instrumentation.

https://github.com/Cloud-Architect-Emma/opentelemetry-collector-examples

Feedback and contributions welcome! ⭐ if it's useful.

#OpenTelemetry #DevOps #Observability #Kubernetes #SRE #Monitoring #CloudNative #OpenSource