Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
The open-source data visualization tool Grafana has responded to a recent attack, stating that the attacker forked a Grafana repository, executed a curl command to inject malicious code, and exported environment variables into a file encrypted with a private key, thereby stealing access tokens. The attacker then deleted the fork to conceal their activity. Using the compromised credentials, the attacker replicated the attack against four private repositories. This unauthorized access was limited to automation systems and did not affect production environments or release artifacts. Based on the attack behavior, the goal appeared to be token theft and stealthy persistence for future use. Attack method (per SlowMist): Malicious Code Injection Attack. Reported loss: -.
- chain
- —
- protocol
- Grafana
- bug_class
- private-key
- date_occurred
- 2025-04-26
- loss_usd
- —
- source_id
- sm:grafana::2025-04-26