PANews reported on April 28 that the open source data visualization tool Grafana responded to the recent attack, saying that the attacker stole a limited number of access tokens by tampering with the GitHub Action workflow. The incident originated from a recently enabled GitHub Action configuration vulnerability. The attacker successfully extracted environment variables from five private repositories by forking the repository and injecting malicious curl commands. In response, Grafana has immediately disabled all public repository workflows and rotated exposed tokens, used tools such as Trufflehog to verify the invalid status of credentials, audited internal workflows through the Gato-X tool, and retained access logs in Grafana Loki for a complete investigation. At present, Grafana's investigation has not found any evidence of code modification, unauthorized access to production systems, leakage of customer data, or access to personal information. The attack method is consistent with the "credential lurking" pattern described in Mandiant's recent report (average incubation period of 11 days). Grafana said it will strengthen CI/CD security measures, including mandatory integration of detection tools such as Zizmor.