Grafana Labs on Tuesday said the breach of its GitHub environment earlier this month originated from the TanStack npm supply chain attack that was linked to the Mini Shai-Hulud compromise.

The company on Saturday said a threat group downloaded its codebase after gaining access to its GitHub environment using a leaked token. The hackers attempted to blackmail Grafana Labs, threatening to leak the codebase, but the company refused to submit to the demands. 

More than 7,000 customers, including Nvidia, Microsoft, Anthropic and others, use Grafana’s observability platform.

On Tuesday, Grafana confirmed that the codebase breach originated from a supply chain attack on TanStack, a popular open source framework used to build web applications, according to the update from Grafana CISO Joe McManus. A threat group tracked as Team PCP is linked to the Mini Shai-Hulud attack, which compromised hundreds of npm packages. TanStack earlier this month confirmed that an attacker published 84 malicious versions across 42 of its packages. 

Grafana said it originally detected malicious activity on May 11, and quickly rotated a “significant number” of GitHub workflow tokens as part of its initial response. One of the tokens was missed, however, and the hackers were able to use that to gain access to the company’s Github repositories. 

The hackers contacted Grafana on May 16, but the company refused the extortion demand, in part due to FBI guidance that a ransom payment would only encourage future attacks. 

Grafana said the attack’s impact was limited to its GitHub repositories, which includes some public and private source code, as well as internal GitHub repos. 

To bolster security, Grafana said it rotated automation tokens, audited all commits since the May 11 incident and hardened its GitHub defenses. 

Customer production systems and repos were not impacted in the attack. The company is taking additional steps to better secure its continuous integration and continuous deployment pipelines so it can prevent a similar attack.