Grafana's data breach stemmed from a GitHub workflow token that escaped rotation procedures following the TanStack npm supply-chain attack. The oversight left credentials exposed after the initial security incident.
Grafana confirmed this week that its recent security breach originated from a single GitHub workflow token that was not properly rotated in the aftermath of the TanStack npm package compromise.
The sequence of events began when attackers compromised the TanStack npm registry, a widely-used JavaScript library. During the incident response, Grafana identified the need to rotate sensitive credentials, including GitHub tokens used in automated workflows. However, one token slipped through the rotation process, remaining active and accessible to attackers who had gained access to Grafana's systems.
The token provided attackers with the ability to access Grafana's repository and associated infrastructure, enabling them to extract sensitive data. The company discovered the breach during subsequent security investigations and immediately initiated containment measures.
This incident underscores the critical importance of comprehensive token management during security incidents. When supply-chain attacks occur, organizations must systematically rotate all exposed credentials across their entire infrastructure—a process that requires careful tracking to ensure nothing is overlooked.
Grafana has since rotated all affected tokens and implemented enhanced monitoring for GitHub workflow activity. The company is working with affected customers and has disclosed details about the scope of accessed data.
The breach highlights a broader vulnerability in development pipelines: workflow tokens represent a high-value target for attackers, as they can grant access to source code repositories and CI/CD systems. Security teams increasingly face the challenge of managing hundreds or thousands of tokens across complex environments, making manual rotation processes error-prone.
Organizations are being advised to implement automated token rotation systems, adopt secrets management solutions, and conduct regular audits of active credentials. The incident also reinforces the cascading risk inherent in supply-chain compromises—when one trusted dependency is breached, the impact can extend far beyond the initial victim.
LastPass has issued a warning about an active phishing campaign using fraudulent security notices to redirect users to malicious websites. The scheme targets both LastPass and Bitwarden password manager users.
Microsoft has rolled out cumulative updates KB5101650 and KB5099414 for Windows 11, addressing security vulnerabilities and bugs across multiple versions. The updates target versions 25H2/24H2 and 23H2.
Iran leveraged known vulnerabilities in mobile networks to identify and target U.S. military personnel in the Middle East during the buildup to and early stages of armed conflict.
Security researchers can now validate system vulnerabilities by analyzing attack techniques rather than launching live exploits. This approach eliminates risks to critical infrastructure while still determining exploitability.