Grafana Labs / CoinbaseCartel — source-code-only theft confirmed; ransom rejected; detected by canary token

Grafana Labs confirmed on 2026-05-18 that the CoinbaseCartel data-extortion group used a compromised GitHub token granting access to Grafana's GitHub environment to exfiltrate private source code only — no customer data, no production systems — and that it rejected the ransom. (Earlier reporting attributed the entry to a pull_request_target GitHub Actions misconfiguration and credited a canary token with detection; the in-window victim-confirmation sources cited here state only the compromised-token vector, so those mechanism specifics are not asserted as fact.) The defender takeaway the sources do support: audit GitHub token scopes and lifetimes aggressively, restrict pull_request_target workflows as general hardening, and seed canary artefacts in private repositories as a low-cost detection layer for source-code exfiltration.