Grafana Labs / CoinbaseCartel — Pwn-Request GitHub Actions breach; private codebase exfiltrated; ransom rejected

On 2026-05-16, Grafana Labs disclosed that CoinbaseCartel — a data-extortion group active since September 2025, focusing exclusively on theft without encryption — exploited a pull_request_target GitHub Actions workflow misconfiguration ("Pwn Request") to exfiltrate a privileged GitHub token and clone the private codebase. The attack vector: fork a public repository, inject curl into the pull_request_target workflow to dump environment variables to an encrypted file, delete the fork to erase evidence. Grafana detected the exfiltration via a triggered canary token embedded in the private code (not from automated secrets-scanning). Ransom was demanded and rejected. Grafana confirmed no customer data, production systems, or running infrastructure was accessed — the exposure was private source code. The canary-token detection is an instructive model; the pull_request_target vulnerability class is the same pattern documented in tj-actions/changed-files (SLSA gap).

Hunt for this in your own GitHub organisation: audit logs for pull_request_target workflow runs where head_repository.owner differs from the base repository owner.