PANews reported on May 20th that Grafana, an open-source data visualization tool, released an update on its investigation into the May 16th security incident. The investigation found that the incident was limited to Grafana Labs' GitHub environment, including public and private source code and internal GitHub repositories, and did not affect customer production systems, operations, or the Grafana Cloud platform. The downloaded content, in addition to source code, included repositories used by some teams for collaboration and storing internal operational information and business details, involving business contact names and email addresses, rather than data from production systems or the cloud platform. Grafana Labs explicitly stated that the codebase was downloaded but not tampered with, and currently, customers and open-source users do not need to take any action. The incident stemmed from a TanStack npm supply chain attack carried out through the Mini Shai-Hulud campaign. Grafana Labs detected malicious activity on May 11th and initiated an incident response, but an oversight of a credential allowed attackers to gain access. After receiving a ransom demand on May 16th, the company decided not to pay the ransom and has rotated automated credentials, implemented enhanced monitoring, audited all commits since May 11th, and significantly strengthened GitHub security configurations. The company has notified federal law enforcement that the investigation is ongoing.

On May 18, Grafana Labs disclosed a security incident in its GitHub environment, stating that customer data was unaffected and refusing to pay the ransom .