Grafana Labs internal source code accessed

5/17/2026 at 8:21:14 AM

I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).

Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much

by kunley

5/17/2026 at 10:47:46 AM

Jobs are trully ridiculous in today's market. Not only you have to be "AI-native" with more years of experience with GenAI code, than the time it started getting popular, but you also get jobs that require you to know Claude Code in'n out, as if no other agent coding exists.

by mhitza

5/17/2026 at 12:12:33 PM

on my data engineering masters the course leader told us about a job advert he’d seen one time. the job needed hadoop experience, like 7 years worth.

hadoop had only existed for 5 years at the time, at most.

he figured that someone in HR got the draft for the job advert and just added in the 7 years as a guess based on another role they were hiring for.

edit — number of years required with specific technology is just a hand wavy estimate of how important it is for the role. never treat the numbers as gospel. that was the lesson he was teaching us.

by dijksterhuis

5/17/2026 at 11:51:18 AM

This can play in your favor if you are experienced enough.

See, it is bullshit, but it is also easy enough. Claude Code is not inscrutable, this is much easier than learning, say, a new programming language. You can meaningfully learn enough to pass an interview in a couple of weeks. It's basically the same amount of information you need to learn to hype AI in HN comment section.

So yeah, I think AI is a deadend technology, far from being as useful as everyone invested on it claims. But I have been using it liberally just so I am on top of this shit, since it is the current hype cycle.

by surgical_fire

5/17/2026 at 9:28:23 AM

The companies are now so often looking for "AI engineers" or "engineers with AI experience" which is crazy given how current generation of AI tools are in very early stages and spending a lot of time mastering them might be time well wasted if many of them actually believe in any further advances, much less AGI. If what AI overlords promise is to materialize, then all these primitive tools like agents, MCPs, plugins (or "marketplaces" which is crazy that LLMs couldn't help them come up with a better name) and whatnot should be just an insignificant blip in the history of AI evolution.

by pllbnk

5/17/2026 at 10:30:12 AM

Companies that care about the 3-15 months of agentic engineering experience you could possibly have (15 months if you count by the launch of Claude Code, 3 months if you count by when that term was coined) don't think about AGI. They think about immediate productivity gains and not working against company culture from the very beginning of their employment.

I remember one job interview where the team lead interviewing me and I had completely different takes on static vs. dynamic typing. It was an awkward moment when we realized we'd never agree, and attempting to cooperate would be very burdensome. Don't hire someone who thinks what you're doing is stupid. AI really divides the waters, better be up front.

by sshine

5/17/2026 at 7:36:27 AM

Is there anything of value in the internal codebase?

So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.

by londons_explore

5/17/2026 at 3:39:20 PM

They killed OSS incident management

Given a lot of their software is OSS or OSS based there's a probable chance non-OSS is runnable and usable outside the company

The product is mostly "standalone" in that it doesn't require integrations with 3rd parties unlike, say, banking software

by nijave

5/17/2026 at 7:23:27 PM

AI is actually pretty good at finding vulnerabilities in the codebase.

Critical vulnerability in that source code could enable further access to other production systems or databases.

Edit: typo

by radku

5/17/2026 at 8:37:21 AM

Maybe some EE stuff like SSO and etc? Unfortunately layering that stuff on is super low effort in these LLM days.

by Rapzid

5/17/2026 at 8:44:16 AM

Grafana OSS does support SSO out of the box, at least OIDC (which is a technically superior standard to SAML w.r.t. security).

The Enterprise edition seems to focus a lot on meta-information about grafana itself: the most frequently accessed dashboard, who is viewing the current dashboard etc.

Theres also group-sync, I guess, which is useful, but honestly the selling point of enterprise is the support I think.

In fact, I might buy enterprise following this, the fact that so much is in the base product gives me the warm fuzzies.

by dijit

5/17/2026 at 2:47:52 PM

[dead]

by skrtskrt

5/17/2026 at 12:53:25 PM

Quite funny how they phrase this.

"We recently discovered.." then later "..The attacker attempted to blackmail us"

So, I'd wager they had no idea of the breach until the attacker tried to blackmail them.

by nusl

5/17/2026 at 5:49:27 AM

non-twitter link https://xcancel.com/grafana/status/2055827123236171827#m

by dijksterhuis

5/17/2026 at 5:19:35 AM

Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”

by oori

5/17/2026 at 6:02:33 AM

Don't pay the Dane-geld: https://en.wikipedia.org/wiki/Dane-geld_(poem)

by deathanatos

5/17/2026 at 8:11:32 AM

All you get is more Danes

by christkv

5/17/2026 at 8:46:31 AM

"Threat actor"… I love this "security" lingo. Threat actors, attack vectors, state actors :-)

by jwr

5/17/2026 at 11:35:21 AM

One of the scalars in our feature matrix allowed for an attack vector to move beyond our security barrier causing an incident overflow

by prymitive

5/17/2026 at 9:01:09 AM

Let's hope they don't go kinetic.

by scotty79

5/17/2026 at 6:26:06 AM

I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.

[1] https://youtu.be/4D068lS85NY

by sangeeth96

5/17/2026 at 5:07:10 AM

aren't they just psql tho? well, i guess we will find out soon.

by iririririr

5/17/2026 at 4:46:30 AM

Their whole repo had been made public !!!!

https://github.com/grafana/grafana

by anotherhue

5/17/2026 at 5:41:55 AM

This is worse than the Linux kernel source code leaks of April 1st.

by jchw

5/17/2026 at 6:02:55 AM

I think they mean grafana cloud.

by esseph

5/17/2026 at 5:58:52 AM

>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.

I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?

you can't just drop in buzzwords willy nilly, they buzz better in the right places.

by fsckboy

5/17/2026 at 1:25:06 PM

Well, "unauthorized party" is a better attention-grabber early on, but then of course it goes into an entirely different direction.

by dxdm