Grafana Labs Says Code Breach Stemmed from TanStack Attack

A supply‑chain campaign dubbed Mini Shai‑Hulud (attributed to TeamPCP) compromised dozens of TanStack npm packages by inserting credential‑stealing malware into signed releases, which enabled exfiltration of CI/CD and cloud tokens and led to downstream compromises including Grafana Labs’ GitHub repositories and theft of internal operational contact data; the attackers have also attempted extortion.