Supply‑Chain Token Theft Leads to Grafana Private Repo Exposure After Missed Rotation
What Happened — A malicious npm package published during the TanStack supply‑chain attack stole a GitHub workflow token from Grafana’s CI/CD pipeline. Grafana rotated most tokens but missed one, allowing the attacker to access private repositories and download source code and internal business‑contact information. No customer production data or cloud services were compromised.
Why It Matters for TPRM —
- Demonstrates how a third‑party component compromise can cascade into credential theft within a vendor’s build environment.
- Shows that incomplete token‑rotation processes can extend breach impact beyond the initial supply‑chain incident.
- Highlights the risk of internal code and business‑contact exposure, which can affect downstream customers and partners.
Who Is Affected — SaaS monitoring platforms, CI/CD service providers, organizations that rely on GitHub Actions, and any downstream customers using Grafana’s open‑source components or integrations.
Recommended Actions —
- Conduct an immediate audit of all CI/CD tokens and enforce automated, verifiable rotation after any supply‑chain alert.
- Implement strict allow‑list controls for npm packages and enforce integrity‑checking (e.g., SBOM, sigstore) in build pipelines.
- Re‑evaluate vendor security programs for supply‑chain resilience, token‑management hygiene, and incident‑response readiness.
Technical Notes — Attack vector: third‑party npm supply‑chain compromise (TanStack). Credential theft via malicious code executed in GitHub Actions. Exfiltrated data: GitHub workflow token, private repository source code, business‑contact names and email addresses. No CVE was disclosed. Source: BleepingComputer