UPDATE: Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected

UPDATE (originally covered 2026-W21): Grafana Labs issued an official 2026-05-18 confirmation of the GitHub Pwn-Request breach previously reported in the 2026-W21 weekly summary (SecurityWeek, 2026-05-18; BleepingComputer, 2026-05-18; The Register, 2026-05-18). The material new disclosures in the 2026-05-18 confirmation: Grafana explicitly states (a) only source code was accessed — "no personal or customer information was stolen"; (b) the incident has not impacted customer systems or operations; (c) the ransom was refused. The technical-mechanism details (pull_request_target workflow misconfiguration, forked-PR injection of a curl command, harvested write-scoped GitHub token, canary-token detection) were previously reported in the 2026-W21 weekly summary citing THN's earlier coverage (The Hacker News, 2026-05-17); they are repeated here as context for defenders who did not catch the weekly. CoinbaseCartel is assessed by THN as an offshoot of the ShinyHunters / Scattered Spider / LAPSUS$ ecosystem and has accumulated ~170 victims since September 2025.

Defender takeaway: Grafana OSS is the de facto monitoring/observability platform in EU/CH public-sector SOC and NOC environments; defenders should monitor non-official Grafana plugin updates and unsigned Grafana agent builds for the next 30 days as a potential supply-chain trojanisation follow-on. The Pwn-Request attack pattern is the same class of CI/CD misconfiguration covered by SentinelOne's Living off the Pipeline taxonomy (referenced 2026-05-16); audit every pull_request_target workflow to ensure no privileged steps run on untrusted-fork code, set permissions: read-all at workflow level and elevate only as needed, and separate privilege-requiring steps into a second workflow_run workflow gated on merged code. MITRE T1195.002 / T1552.004 / T1567.