The hackers exfiltrated a codebase that was already open source, then demanded payment to keep it from being released. Grafana said no, and cited the FBI’s standing advice. It is the second high-profile extortion case in seven days.
Grafana Labs, the open-source monitoring and visualisation company, disclosed on Monday that hackers had broken into its development environment, exfiltrated a copy of its codebase, and demanded a ransom to prevent the code from being released.
The company said no, and the codebase, on the most awkward fact in the story, is already open source.
The mechanics are the part that matters. Grafana’s own statement on X confirmed that the attackers obtained a stolen token credential, which gave them access to the company’s GitHub environment, which Grafana uses for code development.
The token did not, on the company’s account, provide access to customer records, customer systems, or financial data. The token has since been invalidated, and additional security controls have been layered on top.
The Hacker News reports that the root cause was a recently enabled GitHub Action containing a ‘Pwn Request’ misconfiguration, in which a pull_request_target workflow granted external contributors access to production CI secrets, and that the intrusion was caught by one of Grafana’s deployed canary tokens, triggering an internal alert.
The attackers, identified across Register and HelpNet coverage as a data-extortion group calling itself CoinbaseCartel (active on the cybercrime scene since September 2025, on Halcyon and Fortinet FortiGuard tracking), framed the leverage as a release-or-pay choice.
The company’s response, in its own words: ‘The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase.’
Grafana cited the FBI’s long-standing advice that paying ransoms doesn’t guarantee you or your organization will get any data back, ‘offers an incentive for others to get involved in this type of illegal activity, and ultimately funds further attacks.
What gives the case its texture is the seven-day comparison. Education-technology giant Instructure, whose Canvas learning-management platform serves 275 million users across more than 8,800 institutions, reached an agreement with hackers last week after being breached twice in successive weeks by the ShinyHunters group.
Instructure has not publicly disclosed the amount paid; unconfirmed industry estimates put the figure at around $10m. Instructure said it received ‘digital confirmation of data destruction (shred logs)’ and assurances that customers would not be subsequently extorted.
The reaction from security professionals was, in the polite version, sceptical of those assurances.
The two cases sit at the polar ends of the playbook. Instructure paid because the stolen data was student and staff personal information that could not be undone once published.
Grafana refused because the stolen material was code that anyone could already download from the company’s public repositories. The threat was, in that sense, performative.
The attackers made the demand anyway, on the working assumption that some percentage of victims pay regardless of whether the underlying leverage exists.
The structural read on the past week of incidents is the recurring one. The defensive side of the enterprise software industry has been reorienting around AI-driven vulnerability discovery: Anthropic’s Mythos model has been finding thousands of zero-day flaws across major operating systems and browsers, and central-bank regulators have moved aggressively to monitor what the same capabilities mean inside the financial system, with the company briefing the Financial Stability Board on its findings.
The Grafana breach was not an AI-driven attack on the available evidence. It was a token-misuse exploit against a GitHub workflow, the kind of intrusion that has been the modal data breach for the past six years. The mechanics are unchanged. The extortion logic that follows them is what is evolving.
Grafana said its investigation is ongoing and it will publish its findings once the probe is complete.
The company did not disclose which specific repositories were exfiltrated, did not name the threat actor in its own statement. The narrower lesson is that the FBI’s no-pay guidance is finally being treated as policy by companies with sufficiently public business models to absorb the optics.
Grafana has the unusual advantage that its product is open source by design. If the no-pay posture extends to companies with proprietary intellectual property is the next test the threat actors will set up.
Get the TNW newsletter
Get the most important tech news in your inbox each week.