Grafana Codebase Stolen via Unrotated Token in TanStack Supply Chain Attack

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitytools
Grafana Codebase Stolen via Unrotated Token in TanStack Supply Chain Attack

Grafana confirmed its GitHub repositories were compromised, leading to the theft of its codebase and other data. The breach, as reported by SecurityWeek, stemmed from an unrotated token that was initially compromised during the broader TanStack supply chain attack.

This incident highlights a critical failure in post-incident hygiene. Even after a supply chain event like TanStack, organizations often miss residual risks. A compromised token, if not immediately revoked and replaced across all integrated services, remains a live threat, providing attackers with persistent access.

Attackers leveraged this oversight to access Grafana’s source code, which can expose intellectual property, reveal architectural weaknesses, and potentially lead to new attack vectors if vulnerabilities are discovered within the code itself. This is a clear indicator that the attacker’s calculus prioritizes leveraging existing access over developing new exploits when possible.

What This Means For You

  • If your organization integrates with third-party libraries or services, immediately audit all API tokens, OAuth grants, and SSH keys that might have been exposed in *any* past supply chain incident, even if the direct impact seemed minimal at the time. Assume compromise and rotate them. This Grafana incident proves that an unrotated token from a *prior* breach can become the pivot point for a *new* attack.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access T1040 Network Sniffing Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1040 Credential Access

Grafana Codebase Theft via Unrotated TanStack Token

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
Grafana-TanStack-SupplyChain Supply Chain Attack Compromised GitHub token related to TanStack
Grafana-TanStack-SupplyChain Information Disclosure Grafana GitHub repositories accessed
Grafana-TanStack-SupplyChain Information Disclosure Grafana codebase stolen

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor grafana.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Grafana All breaches, IOCs & vendor exposure

Related coverage on Grafana

Ghostwriter Targets Ukraine Government with Prometheus Phishing

The Belarus-aligned threat actor, Ghostwriter (also tracked as UAC-0057 and UNC1151), is actively targeting Ukrainian government entities. According to The Hacker News, this group is...

threat-intelvulnerabilitymalwarephishing
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports

SecurityWeek reports on a critical flaw in Huawei routers that led to a significant telecom blackout. While details are sparse, the incident underscores the inherent...

threat-intelvulnerabilityidentity
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

Trend Micro Apex One Zero-Day Under Active Exploitation

Trend Micro has confirmed a zero-day vulnerability in its Apex One security product, actively exploited on Windows systems. BleepingComputer reports that this critical flaw allows...

threat-inteldata-breachmalwarevulnerabilitymicrosoft
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma