Hacker News
Grafana Labs Source Code Stolen via GitHub Action 'Pwn Request' Vulnerability — Extortion Attempt Refused
Grafana Labs disclosed on May 16 that an attacker exploited a pull_request_target misconfiguration in a recently enabled GitHub Action to extract privileged tokens, then downloaded Grafana's entire private codebase. The attacker (claimed by CoinbaseCartel) attempted extortion; Grafana refused citing FBI guidance. The root cause was a 'Pwn Request' vulnerability where external contributors could access production secrets during CI runs by forking a repo and injecting malicious code. No customer data was accessed.
↳ Follow the thread