Executive Summary
On April 26, 2025, Grafana Labs detected unauthorized activity within its GitHub environment, triggered by a canary token alert. Investigation revealed that an attacker exploited a misconfigured GitHub Actions workflow to obtain automation tokens, which were then used to access and download code repositories. The attacker subsequently attempted to extort Grafana Labs by demanding a ransom to prevent public release of the stolen codebase. Grafana Labs refused the ransom demand, immediately invalidated all exposed credentials, and launched a comprehensive forensic investigation. No customer data, personal information, or production systems were accessed or compromised. The breach was contained to code repositories and automation tokens. Grafana Labs has since strengthened its CI/CD security protocols and continues to audit its environment. All technical findings and incident details are supported by primary sources, with no evidence of ongoing attacker presence or impact to customer operations (Grafana Labs, April 28, 2025, StepSecurity, April 28, 2025, KuCoin News, May 17, 2026).
Technical Information
The breach originated from a vulnerability in a GitHub Actions workflow (pr-patch-check-event.yml) within the public grafana/grafana repository. This workflow was configured to trigger on pull_request_target events, which inadvertently allowed secrets to be exposed to workflows initiated from external forks. The attacker exploited this by submitting a malicious pull request with a specially crafted branch name, leveraging a script injection vulnerability to escape the literal context and execute code within the workflow environment.
Upon successful exploitation, the attacker accessed the secrets GRAFANA_DELIVERY_BOT_APP_ID and GRAFANA_DELIVERY_BOT_APP_PEM, which are used to generate GitHub App tokens. These tokens enabled the attacker to dispatch further malicious workflows and access additional private repositories. The attacker then pushed a new workflow (hrgqavynjp) that serialized all available GitHub Actions secrets, encrypted them using AES-256-CBC, encrypted the AES key with a hardcoded RSA public key, and uploaded both as artifacts to exfiltrate the credentials.
To cover their tracks, the attacker deleted both the fork and the malicious branch after exfiltration. This operational security step was confirmed by both Grafana Labs and independent analysis by StepSecurity. The attacker’s objective was to harvest tokens and remain undetected for potential future use, a tactic consistent with recent industry findings that indicate a delay between credential theft and exploitation.
Following the exfiltration, the attacker demanded a ransom from Grafana Labs to prevent public release of the stolen codebase. Grafana Labs refused to pay, instead opting to strengthen its security posture and conduct a full forensic investigation. The company confirmed that no customer data, personal information, or production systems were accessed or compromised. The breach was limited to code repositories and automation tokens.
The technical chain of the attack is mapped to several MITRE ATT&CK techniques, including T1677 (Poisoned Pipeline Execution), T1552 (Unsecured Credentials), T1041 (Exfiltration Over C2 Channel), T1070.004 (Indicator Removal on Host: File Deletion), and T1657 (Data Manipulation). No named malware was identified; the attack relied on malicious workflows and custom scripts for credential exfiltration. Defensive tools such as Trufflehog and Gato-X were used by Grafana Labs to audit and remediate the environment.
Attribution to a specific threat actor remains inconclusive, as the techniques used are common among both criminal and advanced persistent threat (APT) groups targeting CI/CD pipelines. The incident highlights the increasing prevalence of supply chain attacks leveraging public automation workflows and underscores the need for robust CI/CD security practices.
Affected Versions & Timeline
The breach affected the grafana/grafana public repository and four additional private repositories within the Grafana Labs GitHub environment. The incident was detected on April 26, 2025, when a canary token alert was triggered. Immediate investigation and mitigation actions were taken between April 26 and April 28, 2025, including disabling vulnerable workflows, rotating all exposed tokens, and auditing internal workflows. The incident was publicly disclosed by Grafana Labs on April 28, 2025, and further confirmed by independent sources on May 17, 2026, when the extortion attempt was reported.
No specific product versions were compromised, as the breach was limited to code repositories and automation tokens. No production systems, release artifacts, or customer environments were affected. The timeline of key events is as follows: April 26, 2025 – detection and initial response; April 28, 2025 – public disclosure; May 17, 2026 – confirmation of extortion attempt and refusal to pay ransom.
Threat Activity
The attacker exploited a misconfigured GitHub Actions workflow to gain unauthorized access to automation tokens and code repositories. The initial access vector was a pull request from an external fork, which triggered a workflow with access to sensitive secrets due to the use of the pull_request_target event. The attacker used a script injection technique to escape the workflow’s literal context and execute code that harvested credentials.
After obtaining the necessary tokens, the attacker pushed a malicious workflow designed to serialize and encrypt all available secrets, then exfiltrated them as artifacts. The attacker deleted the fork and malicious branch to minimize detection. Subsequently, the attacker attempted to extort Grafana Labs by demanding a ransom to prevent public disclosure of the stolen codebase. Grafana Labs refused the demand, invalidated all exposed credentials, and launched a forensic investigation.
No evidence was found of code modifications, unauthorized access to production systems, or exposure of customer data. The attacker’s activity was limited to code repositories and automation tokens. The incident demonstrates a sophisticated understanding of CI/CD pipeline vulnerabilities and operational security practices.
Mitigation & Workarounds
Critical: Immediately audit all GitHub Actions workflows, especially those triggered by pull_request_target or similar events that may expose secrets to external contributors. Remove or reconfigure any workflows that allow secrets to be accessed from untrusted sources.
Critical: Rotate all credentials, tokens, and secrets that may have been exposed through CI/CD workflows. Use tools such as Trufflehog to scan for hardcoded secrets and ensure full invalidation.
High: Implement mandatory reviews and approvals for workflow runs originating from public forks or external contributors. Restrict the use of sensitive secrets to trusted environments only.
High: Harden CI/CD environments by leveraging least-privileged permissions for GitHub Apps and automation tokens. Use environment secrets and enforce strict access controls.
Medium: Enable network and runtime monitoring for CI/CD runners to detect anomalous behavior and potential exfiltration attempts.
Medium: Regularly audit and test CI/CD workflows using automated tools such as Gato-X and integrate canary tokens to provide early detection of unauthorized activity.
Low: Educate development and DevOps teams on the risks associated with CI/CD pipeline vulnerabilities and best practices for secure workflow configuration.
References
https://grafana.com/blog/grafana-security-update-no-customer-impact-from-github-workflow-vulnerability/ (April 28, 2025)
https://www.stepsecurity.io/blog/grafana-github-actions-security-incident (April 28, 2025)
https://www.kucoin.com/news/flash/grafana-discloses-github-security-incident-hacker-stole-code-repository-and-demanded-ransom (May 17, 2026)
https://attack.mitre.org/techniques/T1677/ (MITRE ATT&CK T1677: Poisoned Pipeline Execution)
About Rescana
Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations continuously monitor, assess, and manage the security posture of their supply chain and software development environments. Our platform enables early detection of CI/CD pipeline vulnerabilities, supports credential and workflow audits, and facilitates rapid response to supply chain threats. For questions or further information, please contact us at ops@rescana.com.
