Grafana Labs declines to pay ransom following the theft of code that is already open source.

      Hackers exfiltrated an open-source codebase and then demanded a ransom to prevent its release. Grafana refused their demands, citing advice from the FBI. This represents the second notable extortion incident within a week.

      On Monday, Grafana Labs, a company focused on open-source monitoring and visualization, revealed that its development environment had been breached. The hackers accessed its codebase and sought payment to keep it from being disclosed. Grafana pointed out that the codebase is already open source, adding complexity to the situation.

      The specifics of the incident are critical. Grafana's statement on X indicated that the attackers utilized a compromised token credential to access the company's GitHub environment, which is used for code development. According to Grafana, this token did not permit access to customer records, systems, or financial information. The company has since invalidated the token and implemented additional security measures.

      The Hacker News reported that the underlying issue stemmed from a newly activated GitHub Action with a 'Pwn Request' misconfiguration, which allowed external contributors to access production CI secrets via a pull_request_target workflow. The breach was detected by one of Grafana's canary tokens, which triggered an internal alert.

      The attackers, identified by Register and HelpNet as a data-extortion group known as CoinbaseCartel (operational since September 2025, according to Halcyon and Fortinet FortiGuard), framed their leverage as a choice between releasing the code or paying a ransom. Grafana stated, “The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase.”

      Grafana referenced the FBI’s longstanding guidance against paying ransoms, which emphasizes that such payments do not guarantee recovery of data and can incentivize further criminal activity.

      The context of the incident is strengthened by comparing it to another recent case. Instructure, an education technology leader with its Canvas learning management platform serving 275 million users across over 8,800 institutions, agreed to pay hackers after experiencing two breaches in consecutive weeks by the ShinyHunters group. While Instructure has not disclosed the ransom amount, unconfirmed industry estimates suggest it was around $10 million. The company indicated it received "digital confirmation of data destruction (shred logs)" and assurances that customers would not face further extortion afterward, although security experts expressed skepticism about these guarantees.

      The two cases highlight contrasting strategies. Instructure opted to pay because the data stolen was personal information of students and staff that, once released, could not be reversed. Grafana, on the other hand, declined payment because the stolen material was code already accessible in public repositories, rendering the threat somewhat performative. The attackers proceeded with their demands, operating on the assumption that some victims would pay, regardless of the actual leverage.

      A structural analysis of recent incidents reveals a common theme. The defensive strategies of the enterprise software sector are increasingly focusing on AI-driven vulnerability discovery. Anthropic's Mythos model has uncovered thousands of zero-day vulnerabilities across major operating systems and browsers, and central bank regulators have aggressively sought to understand the implications of these capabilities in the financial system, with the company briefing the Financial Stability Board on its discoveries.

      Notably, the Grafana breach was not an AI-driven attack based on the available evidence. Instead, it was a case of token misuse against a GitHub workflow, representing a typical data breach pattern observed over the past six years. While the mechanics remain unchanged, the extortion tactics seem to be developing.

      Grafana noted that its investigation is ongoing and will release findings once it is complete. The company did not specify which repositories were involved in the exfiltration nor publicly name the threat actor in its statement. A key takeaway from this situation is that the FBI’s no-pay guidance is increasingly being adopted as a policy by companies whose business models are sufficiently public to handle the optics. Grafana’s situation is unique, as its product is intentionally open source. The next challenge will be observing whether the no-pay stance extends to companies with proprietary intellectual property.