Grafana Labs detected suspicious activity via a triggered canary token, leading to the discovery of unauthorized access enabled by a misconfigured GitHub Action. An attacker exploited the workflow by forking a Grafana repository, injecting a malicious curl command to extract environment variables (including credentials), encrypting them with a private key, and then deleting the fork to avoid detection. The stolen credentials were then reused to access four private repositories. Grafana Labs confirmed that no production systems, customer data, or code repositories were modified during the incident.
The attacker appeared to be harvesting credentials for future use, consistent with broader threat actor behaviors where exploitation follows initial access after days or weeks. In response, Grafana Labs revoked all exposed tokens, disabled vulnerable GitHub workflows, and conducted a full audit using tools like Trufflehog, Gato-X, and Grafana Loki.