Grafana Labs has disclosed that their source code has been stolen after hackers breached its GitHub environment using a stolen access token. The newly active extortion group CoinbaseCartel claimed responsibility by adding Grafana to its data leak site (DLS), though no data has been published yet. CoinbaseCartel, believed by researchers to consist of ShinyHunters and Lapsus$ affiliates, has claimed more than 100 victims since launching last September, relying primarily on social engineering, phishing, and compromised credentials to gain initial access.

The group has also reportedly deployed an in-memory tool called "shinysp1d3r" to encrypt VMware ESXi environments and disable snapshots, signaling a shift toward hypervisor-targeted ransomware that can cripple entire virtualized infrastructures in a single stroke. The Grafana incident reflects a broader trend: modern breaches increasingly originate from leaked or stolen secrets — API keys, OAuth tokens, CI/CD credentials, with code repositories, SaaS platforms, and developer tooling emerging as high-value targets in the software supply chain.

Detecting credential abuse and source code exfiltration at this scale requires correlated visibility across identity events, SaaS audit logs, network flows, DNS activity, and packet-level data. Effective defenses include continuous secret scanning across repositories and build pipelines, behavioral analytics on API token usage, anomaly detection on data egress volumes, and forensic-grade traffic capture to reconstruct exactly what was accessed during an incident. Unified cybersecurity and observability platforms like NIKSUN — which consolidate packets, flows, logs, events, and threat intelligence into a single data lake with AI-driven analytics and forensics — give security teams the cross-domain context needed to identify stolen-credential activity, surface anomalous repository access, and contain SaaS supply chain attacks before source code or sensitive data leaves the environment. Read more about this story on our LinkedIn page