ctipilot.ch

Home · Live brief · Weekly 2026-W21

Grafana Labs / CoinbaseCartel — source-code-only theft confirmed; ransom rejected; detected by canary token

notable incident discovered 2026-05-18 05:00 UTC

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Grafana Labs confirmed on 2026-05-18 that the CoinbaseCartel data-extortion group used a compromised GitHub token granting access to Grafana's GitHub environment to exfiltrate private source code only — no customer data, no production systems — and that it rejected the ransom. (Earlier reporting attributed the entry to a pull_request_target GitHub Actions misconfiguration and credited a canary token with detection; the in-window victim-confirmation sources cited here state only the compromised-token vector, so those mechanism specifics are not asserted as fact.) The defender takeaway the sources do support: audit GitHub token scopes and lifetimes aggressively, restrict pull_request_target workflows as general hardening, and seed canary artefacts in private repositories as a low-cost detection layer for source-code exfiltration.

data-breach supply-chain organized-crime global