This pack covers a single high-severity incident in which the threat actor cluster CoinbaseCartel (affiliated with ShinyHunters, Scattered Spider, and LAPSUS$) compromised a GitHub Actions personal access token to exfiltrate Grafana source code and issue an extortion demand. The dominant attack pattern is CI/CD credential abuse enabling supply chain infiltration, a class of attack that requires no CVE and bypasses most perimeter controls. Immediate attention is required for any organization running GitHub Actions pipelines with long-lived tokens or broadly scoped secrets, and any organization deploying Grafana should monitor for follow-on vulnerability disclosures from adversaries now in possession of Grafana’s source code.