A threat actor compromised a GitHub personal access token embedded in Grafana’s GitHub Actions CI/CD workflow and exfiltrated Grafana’s source code repository. No CVE applies; this is a secrets management and CI/CD misconfiguration incident. The forward-looking risk is adversary-held source code enabling undisclosed vulnerability discovery or tampered build artifact injection before Grafana can detect and disclose.
