Grafana Labs rejects ransom demand after hackers obtain code that is already open source.

      The hackers extracted a codebase that was already open source and then demanded a ransom to prevent its release. Grafana refused to comply, referencing the FBI's established advice. This marks the second prominent extortion incident in just a week.

      On Monday, Grafana Labs, the company focused on open-source monitoring and visualization tools, revealed that hackers had breached its development environment, stole a copy of its codebase, and requested payment to stop the code from being published. The company declined the ransom demand, highlighting that the codebase is already publicly available.

      What matters are the specifics of the incident. Grafana's announcement on X confirmed that the attackers utilized a stolen token credential, which granted them access to the company's GitHub environment where the code development occurs. According to Grafana, the token did not allow access to customer data, systems, or financial information. The token has since been rendered invalid, and additional security measures have been implemented.

      According to reports from Hacker News, the breach was caused by a recently activated GitHub Action that had a ‘Pwn Request’ misconfiguration, allowing external contributors unintended access to critical production CI secrets. The intrusion was detected by one of Grafana’s canary tokens, triggering an internal alert.

      The attackers, known as the CoinbaseCartel across various reports, presented their demands as a choice between release or payment. Grafana's response stated, "The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase."

      Grafana emphasized the FBI's long-standing warning that paying ransoms does not ensure the return of data, can incentivize more illegal actions, and ultimately finances further attacks.

      The contrast with the past week’s incidents is noteworthy. Instructure, a major player in education technology with its Canvas learning-management platform used by 275 million users across over 8,800 institutions, reached a settlement with hackers last week after experiencing two breaches in consecutive weeks by the ShinyHunters group. Instructure has not disclosed the ransom amount, but unverified industry estimates suggest it was around $10 million. The company stated they received 'digital confirmation of data destruction (shred logs)' and assurances of no further extortion against customers.

      Security experts responded with skepticism regarding those assurances.

      These two incidents highlight very different strategies. Instructure opted to pay because the stolen data consisted of irreplaceable personal information of students and staff, while Grafana refused since the material taken was already available in the company's public repositories. In this sense, the threat posed by the attackers was largely performative, yet they proceeded with their demands based on the assumption that a percentage of victims pay, regardless of the actual leverage.

      The overarching theme in the past week's events is a recurring one. The enterprise software sector is increasingly focused on AI-driven vulnerability detection; for instance, Anthropic's Mythos model has been identifying thousands of zero-day vulnerabilities in major operating systems and browsers. Furthermore, central-bank regulators have intensified their oversight concerning the implications of these capabilities within the financial sector, with the company briefing the Financial Stability Board on its findings.

      The Grafana breach did not appear to be an AI-fueled attack, according to available evidence. Instead, it was a token misuse exploit against a GitHub workflow, typical of data breaches over the past six years. The mechanics remain the same, but the approach to extortion is evolving.

      Grafana mentioned that its investigation is ongoing and it plans to release its findings upon completion of the inquiry. The company did not specify which repositories were compromised nor did it name the threat actor in its statement. A key takeaway is that the FBI's guidance against ransom payments is being increasingly adopted as a policy by companies with public business models capable of managing the optics. Grafana benefits from the fact that its product is deliberately open source. Whether this no-payment approach will be embraced by firms holding proprietary intellectual property remains to be seen as the next challenge for these threat actors.