ZeroFox Intelligence Flash Report - Grafana Labs Source Code Theft and Extortion Attempt

Product Serial: F-2026-05-20a

TLP:CLEAR

In this Flash Report, ZeroFox researchers detail the recent data theft and extortion attempt against Grafana Labs and the continued splintering of ScatteredLapsus$Hunters.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

On May 17, 2026, Grafana Labs disclosed that its private code was stolen from a GitHub repository using a known vulnerability called a “Pwn Request.” The breach was claimed by ransomware and digital extortion (R&DE) collective CoinbaseCartel; however, Grafana Labs refused to pay the ransom demanded.
CoinbaseCartel first appeared in September 2025, focusing exclusively on data theft and extortion—removing proprietary information from servers before demanding ransom.
CoinbaseCartel reportedly shares infrastructure, including a domain, with the Scattered Lapsus$ Hunters (SLSH) ecosystem, suggesting it is very likely an offshoot of the SLSH and likely operates as the data theft extortion affiliate for the larger SLSH collective.
This attack very likely signifies a further diversification within the SLSH ecosystem. SLSH is already the dominant English-language R&DE collective and has previously splintered into specializations; more brand diversification within the ecosystem is very likely in 2026 and beyond.