Executive Summary
In May 2026, Grafana Labs experienced a security breach stemming from the TanStack npm supply-chain attack orchestrated by the cybercrime group TeamPCP. The attackers published malicious versions of TanStack packages, which, when integrated into Grafana's CI/CD pipeline, executed credential-stealing malware. This led to the exfiltration of GitHub workflow tokens, granting unauthorized access to Grafana's private repositories. Although the company promptly rotated most tokens upon detecting the intrusion, one token was overlooked, enabling the attackers to access and download the company's source code and internal operational information. Importantly, no customer data or production systems were compromised during this incident. (grafana.com)
This breach underscores the escalating threat posed by sophisticated supply-chain attacks targeting widely-used open-source packages. Organizations must enhance their vigilance and implement robust security measures within their development pipelines to mitigate such risks. The incident also highlights the critical importance of comprehensive credential management and the necessity for thorough audits to ensure all potential vulnerabilities are addressed promptly.
Why This Matters Now
The Grafana breach highlights the urgent need for organizations to secure their software supply chains against increasingly sophisticated attacks targeting open-source dependencies. As these attacks become more prevalent, ensuring comprehensive credential management and thorough security audits is essential to prevent unauthorized access and data breaches.
Attack Path Analysis
Attackers compromised Grafana's CI/CD pipeline by injecting malicious code into TanStack npm packages, leading to the exfiltration of GitHub workflow tokens. Utilizing a missed token during the rotation process, they escalated privileges to access private repositories. The attackers then moved laterally within the GitHub environment to access additional repositories. They established command and control by maintaining access through the compromised token. Sensitive source code and operational information were exfiltrated from the repositories. The impact included unauthorized access to proprietary code and business information, though no customer data was affected.
Kill Chain Progression
Initial Compromise
Description
Attackers injected malicious code into TanStack npm packages, which were consumed by Grafana's CI/CD pipeline, leading to the execution of info-stealer modules.
Related CVEs
CVE-2026-45321
CVSS 9.6Malicious versions of TanStack npm packages were published, allowing attackers to execute credential-stealing malware under a trusted identity.
Affected Products:
TanStack TanStack npm packages – Affected versions published on 2026-05-11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Unsecured Credentials: Credentials in Files
Valid Accounts
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply-chain attacks targeting npm packages and CI/CD workflows directly threaten software development environments, requiring enhanced token rotation and egress security controls.
Information Technology/IT
GitHub token compromise via malicious packages exposes IT infrastructure management systems, demanding zero trust segmentation and multicloud visibility for development operations.
Financial Services
Credential-stealing malware in developer tools threatens financial institutions' code repositories and business data, violating PCI compliance requirements for secure development practices.
Health Care / Life Sciences
Healthcare organizations using affected development tools face HIPAA compliance violations through compromised repositories containing patient data processing code and operational information.
Sources
- Grafana breach caused by missed token rotation after TanStack attackhttps://www.bleepingcomputer.com/news/security/grafana-breach-caused-by-missed-token-rotation-after-tanstack-attack/Verified
- Grafana Labs security update: Latest on TanStack npm supply chain ransomware incidenthttps://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/Verified
- Postmortem: TanStack npm supply-chain compromisehttps://tanstack.com/blog/npm-supply-chain-compromise-postmortemVerified
- CVE-2026-45321: Critical Supply Chain Attack on TanStack NPM Packageshttps://www.thehackerwire.com/cve-2026-45321-critical-supply-chain-attack-on-tanstack-npm-packages/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute unauthorized code within the CI/CD pipeline would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to use compromised tokens to access private repositories would likely be limited, reducing the scope of privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the GitHub environment would likely be constrained, reducing the risk of accessing additional repositories.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent control over the environment would likely be reduced, limiting the duration of unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The attacker's ability to access proprietary code and business information would likely be limited, reducing the overall impact of the breach.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
Estimated downtime: N/A
Estimated loss: N/A
Source code and operational information, including business contact names and email addresses.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between CI/CD pipelines and sensitive repositories.
- • Enhance Threat Detection & Anomaly Response to identify and respond to unauthorized access attempts promptly.
- • Enforce strict Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Regularly rotate and audit all access tokens to minimize the risk of credential compromise.
- • Conduct comprehensive reviews of third-party packages and dependencies to detect and mitigate supply chain vulnerabilities.
