Supply Chain Attacks, Grafana Breach Hit Open Source

A wave of cyberattacks struck open source infrastructure and commercial software providers throughout May 2026, with hackers compromising hundreds of npm packages, breaching Grafana’s GitHub environment, and exposing the inner workings of a major ransomware gang. The incidents underscore how attackers are increasingly targeting the software supply chain and the credentials that hold it together.

630 Malicious npm Packages Released in 20 Minutes

On May 19, cybersecurity firms StepSecurity and SafeDep warned of a new wave of supply chain attacks targeting open source developers. According to SafeDep, hackers seized control of a single developer account and used it to publish over 630 malicious package versions across 317 packages in roughly 20 minutes.

The payloads are designed to steal credentials from password managers and other services — a mechanism that lets attackers both exfiltrate data and propagate the malware further downstream. Among the compromised packages is Antv, a visualization library maintained by Alibaba. JFrog Security reported that in some cases the attackers published malicious updates directly to GitHub, not just to the npm registry.

Researchers have labeled this campaign “Mini Shai-Hulud,” identifying it as a continuation of a broader hacking operation. In an earlier wave of the same campaign last week, hackers compromised the computers of two OpenAI employees after first breaching the open source library TanStack. OpenAI was one of multiple victims across that wave.

The speed of the attack — hundreds of packages poisoned inside a single work session — reflects how effective account takeover has become as an entry point into the open source ecosystem. Developers who automatically pull the latest package versions are particularly exposed.

Grafana Confirms GitHub Token Compromise

Grafana, the open source visualization and analytics platform, confirmed a data breach on May 18, two days after the cybercrime group Coinbase Cartel listed it on their leak site. In a statement, Grafana said a compromised token granted the attackers access to the Grafana Labs GitHub environment, allowing them to download its codebase.

Grafana said no personal or customer data was stolen, and that customer systems and operations were not affected. The company also confirmed it received a ransom demand threatening to publish the source code — and declined to pay. The compromised credentials have since been reset, and a forensic investigation is underway.

Coinbase Cartel, active since September 2025, does not deploy file-encrypting ransomware. Instead, according to SecurityWeek, it steals sensitive data and demands payment to suppress publication. The group currently lists 105 victims on its leak site.

Cybersecurity researchers have linked Coinbase Cartel to a broader alliance involving ShinyHunters, Scattered Spider, and Lapsus$, whose members have been collaborating since at least mid-2025. That alliance has claimed intrusions against Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic, typically signing attacks under the ShinyHunters name.

Ransomware Gang ‘The Gentlemen’ Gets Breached

In an unusual reversal, one of 2026’s most active ransomware operations was itself compromised. According to Check Point Research, an anonymous group breached the internal back-end database of The Gentlemen, a Russian ransomware-as-a-service (RaaS) gang, on or just before May 4.

The attackers are now selling just over 16GB of the gang’s internal communications, tooling, and operational data for $10,000 in Bitcoin. A 44MB sample was leaked publicly to establish credibility, and Check Point has analyzed it in detail.

The numbers behind The Gentlemen’s operation are significant. In only the first five months of 2026, the group published sensitive data from 332 different organizations on its leak site — making it the second most productive ransomware group globally this year, just behind Qilin, according to Check Point. That figure excludes victims who paid ransoms and were never listed.

Check Point’s analysis of the leaked sample reveals the group’s structure: the leader, known online as “zeta88,” builds and maintains the locker malware and curates the affiliate program. The group runs a generous affiliate model, which Check Point says has been central to its rapid growth.

Eli Smadja, Check Point’s group manager for product R&D, told Dark Reading that while the breach is “a reputational hit,” it is not expected to significantly disrupt operations or reduce the gang’s effectiveness.

A Pattern: Credentials as the Common Thread

Across all three incidents, compromised credentials — not zero-day exploits — were the initial access vector. A stolen npm developer account enabled the Mini Shai-Hulud campaign. A stolen GitHub token let attackers walk into Grafana’s codebase. And The Gentlemen’s own operational security failure exposed their internal database.

This pattern aligns with what Dark Reading’s 20-year retrospective identified as a persistent structural problem in enterprise security: simple credential failures routinely cause complex, cascading damage. Despite decades of investment in detection and response tooling, the most effective attacks continue to exploit the path of least resistance — a reused password, an over-permissioned token, a developer account without multi-factor authentication.

The supply chain vector is particularly difficult to defend because it exploits trust relationships baked into development workflows. When a developer installs a package from a trusted author, there is rarely a mechanism to verify that the author’s account hasn’t been taken over.

What This Means

The May 2026 incidents collectively illustrate three converging pressures on security teams.

First, the open source supply chain remains structurally vulnerable to account takeover. The Mini Shai-Hulud campaign demonstrates that a single compromised developer credential can poison hundreds of packages within minutes — faster than most security teams can detect and respond. Organizations that consume open source dependencies without pinning versions or verifying package integrity are running a continuous, unquantified risk.

Second, the Coinbase Cartel/ShinyHunters alliance is maturing into a persistent, multi-group threat actor with a growing victim list and a clear operational model: steal data, demand payment, publish if refused. Grafana’s decision not to pay is notable, but the source code is now in the hands of a group with demonstrated willingness to publish. Other organizations in the alliance’s crosshairs face the same calculus.

Third, the breach of The Gentlemen’s infrastructure — however it occurred — is a reminder that ransomware groups are themselves targets, and that their internal data can be valuable intelligence. The leaked sample has already yielded insight into affiliate structures and TTPs that defenders can use. But Check Point’s assessment that operations will continue largely unimpeded is the more important takeaway: disrupting a RaaS gang’s reputation does not disrupt its revenue model.

For security and engineering teams, the immediate practical response is the same across all three scenarios: audit token permissions, enforce MFA on all developer accounts, and implement dependency pinning with integrity verification in CI/CD pipelines.

FAQ

What is the Mini Shai-Hulud supply chain attack?

Mini Shai-Hulud is the name researchers have given to an ongoing campaign targeting open source software developers. Attackers compromise developer accounts and use them to publish malicious package versions that steal credentials from downstream users. The campaign is a continuation of a broader prior operation and has already affected hundreds of npm packages and at least two OpenAI employees.

Did the Grafana breach expose customer data?

Grafana said no personal or customer data was stolen in the breach. The attackers accessed and downloaded Grafana’s source code via a compromised GitHub token, then demanded a ransom to prevent publication. Grafana declined to pay and has reset the affected credentials while a forensic investigation continues.

Who is the Coinbase Cartel and how is it connected to ShinyHunters?

Coinbase Cartel is a cybercrime group active since September 2025 that steals data and demands ransoms without deploying file-encrypting malware. Cybersecurity researchers have linked it to an alliance involving ShinyHunters, Scattered Spider, and Lapsus$, which has been operating collaboratively since at least mid-2025. The alliance has claimed breaches against more than 100 organizations, often signing intrusions under the ShinyHunters name.