Popular open-source observability tool Grafana has disclosed that it was breached and refused to pay a ransom after “an unauthorized party” stole a code database, which they then threatened to publish.

In a series of posts on X, the company said that a threat actor had obtained a token that granted them access to the GitHub environment and enabled them to download its codebase.

Grafana said it immediately launched a "forensic analysis,” which determined that no customer data or personal information was accessed during the incident.

“We have found no evidence of impact to customer systems or operations,” Grafana added.

The compromised credentials have since been invalidated, the company added, and extra security measures have been implemented.

While an extortion attempt was made, Grafana said it refused to pay the ransom and was following FBI guidelines, which state that “paying a ransom doesn’t guarantee you or your organization will get any data back.”

They added that paying up also only serves to “offer an incentive for others to get involved in this type of illegal activity.”

Grafana did not say when the breach occurred, and it has not been attributed to any known ransomware gang.

On social media, however, the attack was attributed to the Coinbase Cartel, a data extortion crew that emerged in September 2025. It's assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems.

The concern for many is that monitoring dashboards are supposed to help defenders operate systems, but after a breach, people worry that the same data could also help attackers map out systems and identify targets.

Open-source software is under increasing attack because it has become part of the foundation of modern technology – and attackers know that compromising one widely used package can affect thousands or even millions of systems downstream.

“The question after a breach claim against the vendor running half the industry's observability stack is whether Prometheus endpoint reconnaissance, validator monitoring telemetry, RPC node metrics, and custody hot-cold dashboards now read as recon data,” cyber security firm DLTA wrote in a post on X.

Last week, it was reported that hundreds of malicious packages were being flagged in NPM and PYPI repositories, including those from TanStack and Mistral, which are hugely popular.

Open-source software is under increasing attack because it has become part of the foundation of modern technology – and attackers know that compromising one widely used package can affect thousands or even millions of systems downstream.

---

Unlock exclusive Cybernews content on YouTube.