Grafana Labs internal source code accessed

Grafana Labs internal source code accessed(twitter.com)

84 points by jschorr 1 day ago | 26 comments

kunley 1 day ago |

I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).

Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much

mhitza 1 day ago | |

Jobs are trully ridiculous in today's market. Not only you have to be "AI-native" with more years of experience with GenAI code, than the time it started getting popular, but you also get jobs that require you to know Claude Code in'n out, as if no other agent coding exists.

dijksterhuis 22 hours ago | | |

on my data engineering masters the course leader told us about a job advert he’d seen one time. the job needed hadoop experience, like 7 years worth.

hadoop had only existed for 5 years at the time, at most.

he figured that someone in HR got the draft for the job advert and just added in the 7 years as a guess based on another role they were hiring for.

edit — number of years required with specific technology is just a hand wavy estimate of how important it is for the role. never treat the numbers as gospel. that was the lesson he was teaching us.

surgical_fire 23 hours ago | | |

This can play in your favor if you are experienced enough.

See, it is bullshit, but it is also easy enough. Claude Code is not inscrutable, this is much easier than learning, say, a new programming language. You can meaningfully learn enough to pass an interview in a couple of weeks. It's basically the same amount of information you need to learn to hype AI in HN comment section.

So yeah, I think AI is a deadend technology, far from being as useful as everyone invested on it claims. But I have been using it liberally just so I am on top of this shit, since it is the current hype cycle.

pllbnk 1 day ago | |

The companies are now so often looking for "AI engineers" or "engineers with AI experience" which is crazy given how current generation of AI tools are in very early stages and spending a lot of time mastering them might be time well wasted if many of them actually believe in any further advances, much less AGI. If what AI overlords promise is to materialize, then all these primitive tools like agents, MCPs, plugins (or "marketplaces" which is crazy that LLMs couldn't help them come up with a better name) and whatnot should be just an insignificant blip in the history of AI evolution.

sshine 1 day ago | | |

Companies that care about the 3-15 months of agentic engineering experience you could possibly have (15 months if you count by the launch of Claude Code, 3 months if you count by when that term was coined) don't think about AGI. They think about immediate productivity gains and not working against company culture from the very beginning of their employment.

I remember one job interview where the team lead interviewing me and I had completely different takes on static vs. dynamic typing. It was an awkward moment when we realized we'd never agree, and attempting to cooperate would be very burdensome. Don't hire someone who thinks what you're doing is stupid. AI really divides the waters, better be up front.

londons_explore 1 day ago |

Is there anything of value in the internal codebase?

So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.

nijave 19 hours ago | |

They killed OSS incident management

Given a lot of their software is OSS or OSS based there's a probable chance non-OSS is runnable and usable outside the company

The product is mostly "standalone" in that it doesn't require integrations with 3rd parties unlike, say, banking software

radku 15 hours ago | |

AI is actually pretty good at finding vulnerabilities in the codebase.

Critical vulnerability in that source code could enable further access to other production systems or databases.

Edit: typo

Rapzid 1 day ago | |

Maybe some EE stuff like SSO and etc? Unfortunately layering that stuff on is super low effort in these LLM days.

dijit 1 day ago | | |

Grafana OSS does support SSO out of the box, at least OIDC (which is a technically superior standard to SAML w.r.t. security).

The Enterprise edition seems to focus a lot on meta-information about grafana itself: the most frequently accessed dashboard, who is viewing the current dashboard etc.

Theres also group-sync, I guess, which is useful, but honestly the selling point of enterprise is the support I think.

In fact, I might buy enterprise following this, the fact that so much is in the base product gives me the warm fuzzies.

dijksterhuis 1 day ago |

non-twitter link https://xcancel.com/grafana/status/2055827123236171827#m

nusl 22 hours ago |

Quite funny how they phrase this.

"We recently discovered.." then later "..The attacker attempted to blackmail us"

So, I'd wager they had no idea of the breach until the attacker tried to blackmail them.

oori 1 day ago |

Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”

deathanatos 1 day ago | |

Don't pay the Dane-geld: https://en.wikipedia.org/wiki/Dane-geld_(poem)

christkv 1 day ago | | |

All you get is more Danes

jwr 1 day ago |

"Threat actor"… I love this "security" lingo. Threat actors, attack vectors, state actors :-)

prymitive 23 hours ago | |

One of the scalars in our feature matrix allowed for an attack vector to move beyond our security barrier causing an incident overflow

scotty79 1 day ago | |

Let's hope they don't go kinetic.

sangeeth96 1 day ago |

I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.

[1] https://youtu.be/4D068lS85NY

iririririr 1 day ago |

aren't they just psql tho? well, i guess we will find out soon.

anotherhue 1 day ago |

Their whole repo had been made public !!!!

https://github.com/grafana/grafana

jchw 1 day ago | |

This is worse than the Linux kernel source code leaks of April 1st.

esseph 1 day ago | |

I think they mean grafana cloud.

fsckboy 1 day ago |

>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.

I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?

you can't just drop in buzzwords willy nilly, they buzz better in the right places.

dxdm 21 hours ago | |

Well, "unauthorized party" is a better attention-grabber early on, but then of course it goes into an entirely different direction.