The Grafana information breach was brought on by a single GitHub workflow token that slipped by the rotation course of following final week’s TanStack npm provide chain assault.
The continuing Shai-Hulud malware marketing campaign, attributed to TeamPCP hackers, uncovered dozens of TanStack packages contaminated with credential-stealing code to the npm index, compromising developer environments together with Grafana.
As soon as the malicious npm bundle was launched, Grafana’s CI/CD workflow consumed it, an info stealing module ran in that GitHub atmosphere, and the GitHub workflow token was leaked to the attacker.
The corporate says it detected malicious exercise stemming from a compromise of the TanStack bundle on Could 1st and instantly deployed an incident response plan that included rotation of GitHub workflow tokens.
Nevertheless, one token was misplaced within the course of, which the attackers used to entry the corporate’s non-public repositories.
“We carried out evaluation and rapidly rotated quite a few GitHub workflow tokens, however the tokens had been lacking, permitting the attacker to entry the GitHub repository,” the Grafana replace reads.
“Subsequent investigation confirmed that sure GitHub workflows that had been initially considered unaffected had been in reality compromised.”
The corporate beforehand acknowledged that the intruders had stolen its supply code, assured prospects there could be no affect, and mentioned the hackers wouldn’t obtain a ransom.
Continued investigation revealed that the intruders additionally downloaded operational info and particulars that Grafana makes use of for its operations.
“This contains enterprise contact names and e mail addresses exchanged within the context of a enterprise relationship. It doesn’t embody info obtained or processed from manufacturing methods or the Grafana cloud platform.” – Grafana
The corporate emphasizes that this isn’t buyer manufacturing information and that, primarily based on the most recent proof and analysis, no buyer manufacturing methods or operations have been compromised.
Grafana Labs additionally famous that as a result of the codebase was not modified in the course of the incident, the code downloaded by customers in the course of the occasion is taken into account protected and customers don’t must take any motion.
Grafana Labs has promised to straight notify affected prospects if the score modifications primarily based on new proof obtained from the continuing investigation.
Automated penetration testing instruments supply actual worth, however they had been constructed to reply one query: Can an attacker get by your community? They don’t seem to be constructed to check whether or not controls block threats, detection guidelines fireplace, or cloud configurations are preserved.
This information describes six surfaces that it is best to really look at.
Obtain now
