Grafana Discloses GitHub Breach After Extortion Attempt by CoinbaseCartel Grafana recently revealed that an unauthorized party gained access to its GitHub environment using a compromised token, allowing the attacker to download the company’s codebase. The incident, discovered "recently," did not expose customer data or disrupt operations, according to Grafana’s statement on X. The company swiftly invalidated the compromised credentials, conducted a forensic investigation, and implemented additional security measures to prevent further unauthorized access. The attacker attempted to extort Grafana, demanding payment to prevent the stolen data from being published. Grafana refused, citing FBI guidance against ransom payments, which warns that such transactions fail to guarantee data recovery and embolden cybercriminals. The breach has not been linked to a specific threat actor, though reports from Hackmanac and Ransomware.live attribute the attack to CoinbaseCartel, a data extortion group that emerged in September 2025. CoinbaseCartel, assessed as an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$, specializes in data theft and extortion rather than traditional ransomware. The group has targeted 170 victims across sectors including healthcare, technology, and manufacturing. While Grafana has not disclosed which codebase was accessed, its portfolio includes solutions like Grafana Cloud, a managed observability platform. The incident follows a recent controversial decision by Instructure, an edtech firm, to pay ShinyHunters after the group threatened to leak terabytes of data from U.S. schools and universities. Grafana has not provided further details on the timeline of the breach or the attacker’s access duration.

OpenAI Addresses Security Breach in ChatGPT Mac App After Employee Devices Compromised OpenAI recently disclosed a security breach affecting its ChatGPT app for Mac, stemming from a compromised open-source library. According to a report by 9to5Mac, two employee devices were impacted, though the company stated no user data was accessed and no systems were compromised. The incident was detected after malicious activity was identified in a widely used open-source code repository. OpenAI responded swiftly, containing the threat and launching an investigation with a third-party digital forensics firm. The company confirmed that only limited credential material was exfiltrated, with no other code or information affected. A software update addressing the issue is currently rolling out, with full distribution expected by June 12. Mac users are advised to install the update when prompted, while Windows and iOS users remain unaffected. OpenAI plans to provide further guidance at a later date. This is not the first security concern for the ChatGPT Mac app in early 2024, a developer discovered that the app stored user conversations locally in plain text rather than encrypting them.

Massive Supply Chain Breach Hits 84 npm Packages in TanStack Ecosystem A sophisticated supply chain attack compromised 84 npm packages within the widely used TanStack ecosystem, including high-profile libraries like React Router (12M+ weekly downloads). The breach, part of the Mini Shai-Hulud malware campaign, targeted continuous integration (CI) environments such as GitHub Actions, injecting a credential-stealing tool designed to evade detection. Security firm Socket detected the malicious packages within six minutes of publication using an AI-powered scanner. The attack extended beyond npm, infecting Python packages like OpenSearch, Mistral AI, Guardrails AI, and UiPath. A message left by the attackers signed TeamPCP confirmed they had been exfiltrating developer credentials for hours during the investigation. ### Attack Mechanics The malware, embedded in an obfuscated script (router_init.js), acted as a self-propagating worm. Key tactics included: - Stealth Execution: Detached from terminal sessions, running silently in the background. - Credential Harvesting: Targeted GitHub Actions tokens, AWS metadata, Kubernetes certificates, and HashiCorp Vault clusters. - Persistence: Hid copies in VS Code and Claude AI config directories, ensuring reinfection on workspace reopening. - Exfiltration: Used the Session peer-to-peer network to blend stolen data with encrypted messaging traffic. The attack leveraged a malicious `optionalDependencies` block in package.json, pointing to a compromised GitHub commit. During `npm install`, a `prepare` lifecycle hook executed tanstack_runner.js, triggering the payload. ### Chained GitHub Actions Exploit TanStack’s postmortem revealed the breach stemmed from a chained attack on their GitHub Actions pipeline. Attackers exploited a vulnerable pull request target pattern, poisoning the workflow cache to execute malicious code. Instead of stealing static npm tokens, they extracted runtime OpenID Connect tokens from runner memory, enabling legitimate authentication to push compromised updates. ### Response & Indicators of Compromise (IOCs) TanStack deprecated affected versions, purged workflow caches, and implemented stricter repository protections. Key IOCs include: - Malicious Files: - `router_init.js` (SHA256: `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c`) - `tanstack_runner.js` (SHA256: `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96`) - Network Targets: - `hxxp://filev2[.]getsession[.]org/file/` (Session P2P exfiltration) - AWS metadata endpoints (`169.254.169.254`, `169.254.170.2`) - GitHub API (`api.github.com/repos/`) and npm token validation endpoints.

Mistral AI Suffers Data Breach: 450 Repositories Stolen and Auctioned on Dark Web The hacking group TeamPCP has stolen 450 internal repositories totaling 5GB of source code from Mistral AI, a leading AI development company. The stolen data, which includes code used for training, fine-tuning, benchmarking, and model delivery, is now being auctioned on the dark web for $25,000. TeamPCP, which previously executed a supply chain attack called Mini Shai-Hulud against the TanStack npm package (a widely used UI toolkit with 177 million weekly downloads), distributed infostealer malware to harvest developer credentials, cloud secrets, and SSH keys. The group claims the stolen Mistral AI data contains experimental and future project materials and has warned that if no buyer emerges within a week, they will leak the entire dataset for free. Mistral AI confirmed the breach, stating that attackers compromised a codebase management system and briefly contaminated some SDK packages. However, the company emphasized that core systems, hosted services, user data, and research environments remained unaffected. The auction is exclusive to a single buyer, with TeamPCP even inviting Mistral AI to purchase the data back. The group has indicated that the $25,000 price is negotiable. The incident highlights ongoing risks in AI development supply chains and the potential exposure of proprietary model training materials.

Malicious "tanstack" npm Package Exfiltrates Developer Credentials in Stealth Attack A malicious npm package named tanstack was discovered executing a data exfiltration campaign, targeting developers by impersonating the legitimate TanStack ecosystem. The attacker exploited confusion with the trusted `@tanstack` organization known for libraries like TanStack Query and TanStack Table by registering the unscoped tanstack package on npm. The package, marketed as a "TanStack Player" SDK with polished documentation and branding, contained a hidden postinstall script that activated upon installation. Between 17:08 and 17:35 UTC on April 29, 2026, the attacker published four rapid updates (versions 2.0.4–2.0.7), each refining the malware’s capabilities. Earlier version 2.0.3, released in March, showed no malicious behavior, indicating the attack began with the introduction of the postinstall hook. Once triggered, the script scanned for sensitive environment files including .env, .env.local, and .env.production and exfiltrated their contents to an attacker-controlled Svix webhook endpoint. By routing data through a legitimate webhooks-as-a-service platform, the attacker evaded detection by network security tools. The stolen payload included: - Environment file contents (e.g., AWS keys, GitHub tokens, database credentials, API keys). - System metadata (Node.js version, OS, architecture). - Package version and timestamp. The script disguised sensitive data under misleading field names like "readme" and "agents" to obscure its true nature. The rapid version updates suggest live testing, with 2.0.6 being the most dangerous targeting all .env.* variants, including production files. Developers who installed versions 2.0.4–2.0.7 should assume compromise, as the attack executed automatically during installation with no persistence mechanism. The incident underscores the risks of name-squatting attacks in open-source ecosystems, where a simple typo (e.g., tanstack vs. @tanstack/query) can lead to full credential exposure.

OpenAI Confirms Limited Third-Party Breach, No User Data Impacted OpenAI disclosed a third-party security incident involving unauthorized access to its corporate code repositories, though the company emphasized that the breach was contained and did not compromise user data or production systems. According to OpenAI, only a small amount of credential material was exfiltrated, with no evidence that intellectual property, software integrity, or customer information was affected. The attack prompted immediate containment measures, including isolating impacted systems and temporarily restricting code deployment workflows. As a precaution, OpenAI is rotating its code-signing certificates and will require macOS users to update their applications. The breach also involved a supply chain attack on the open-source library TanStack npm, though OpenAI confirmed this did not result in access to user data. However, two employee devices within OpenAI’s corporate environment were affected by the TanStack incident. OpenAI reiterated that no evidence suggests the attack exposed user data or disrupted its services, maintaining that the incident was limited in scope. The company continues to investigate the full extent of the breach.