The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Monday 18 May 2026

Grafana's Source Code Was Stolen and Used as Leverage — Here's What Actually Happened

Grafana's codebase was downloaded by an attacker who then tried to extort the company — and a new phishing kit is bypassing MFA to hijack Microsoft 365 accounts at scale.

Lead story

Grafana's Source Code Was Stolen and Used as Leverage — Here's What Actually Happened

Someone stole a GitHub access token from Grafana, downloaded the entire codebase, and then tried to extort the company with it. That's the short version. The longer version is instructive for any engineering org that uses GitHub as its source-of-record.

Grafana published a post-incident disclosure confirming that an unauthorised party obtained a token with access to its GitHub environment. The attacker used that access to clone the company's repositories — the full codebase. They then approached Grafana apparently seeking payment, using the stolen code as leverage. Grafana has said no customer data or personal information was accessed, and there's no evidence of downstream impact to customer systems.

Why this matters more than a typical source-code leak. Grafana isn't some niche tool. It's the dashboarding and observability platform sitting inside the monitoring stack of a huge chunk of the world's infrastructure — enterprise data centres, cloud platforms, government networks, hospitals. In Australia, Grafana is embedded in everything from large financial services shops to health agencies running on AWS or Azure. If an attacker had found something exploitable in that source code before Grafana could audit and rotate, the blast radius could have been significant.

The good news is that source-code theft without a corresponding supply-chain injection is materially different from a compromise of build pipelines or release artifacts. What Grafana's users are actually running hasn't been shown to be tampered with. That's the key distinction — and it's one every organisation in the supply chain should be verifying independently right now by checking their Grafana versions and build provenance.

The extortion angle is increasingly common. Attackers who get hold of source code but can't immediately monetise it through a vulnerability are increasingly turning to extortion as the revenue path. We've seen this with the GitHub token-theft wave that hit multiple companies over the past two years, and it points to a structural problem: GitHub tokens are often long-lived, widely shared across CI/CD systems, and rarely rotated on a schedule.

What to watch. Grafana hasn't yet detailed exactly how the token was obtained — whether through a phishing attack, a compromised developer endpoint, a leaked secret in a CI/CD log, or something else. That disclosure will matter. Token hygiene is the immediate takeaway: audit your GitHub personal access tokens and OAuth apps now, enforce short expiry windows, and make sure your CI/CD secrets aren't logging to places humans can read.

For Australian organisations, this incident also touches SOCI Act obligations around supply-chain risk management. If Grafana is part of your observability stack for critical infrastructure, third-party risk assessments should already cover this vendor. If they don't, now's the time to close that gap — not after an attacker finds something useful in that codebase before you do.

Also today

Tycoon2FA Phishing Kit Bypasses MFA to Hijack Microsoft 365 Accounts

The Tycoon2FA phishing-as-a-service kit has been upgraded with device-code phishing support, a technique that tricks users into entering a Microsoft-generated authentication code — effectively handing over an authenticated session without the attacker ever needing the user's password. The kit also abuses Trustifi click-tracking URLs to obscure its phishing links from email security filters. Device-code phishing is particularly nasty because it works even on accounts with standard MFA enabled, and the login appears to come from a legitimate Microsoft endpoint. Defenders should consider blocking device-code authentication flows in Entra ID conditional access policies if their users don't have a legitimate need for them.

Bleeping Computer

Estia Health Rolls Out Zero Trust Across a Complex Aged-Care Workforce

Australian aged-care provider Estia Health has completed a significant security overhaul built around Zero Trust principles, according to iTnews. The challenge is a familiar one for healthcare operators: a large, geographically distributed workforce with high staff turnover, a mix of clinical and administrative roles, and devices ranging from managed endpoints to personal phones. Zero Trust — essentially the principle of never implicitly trusting any user or device regardless of network location — is increasingly the recommended posture under Australia's Essential Eight and ACSC guidance. The Estia rollout is a useful case study for other aged-care and health organisations navigating similar workforce dynamics, particularly as the sector faces growing targeting from ransomware groups.

iTnews

Service NSW Plots an Exit From VMware's Container Platform — and a 75% Cost Cut

Service NSW, the New South Wales government's digital services agency, is migrating away from VMware's Tanzu container platform and expects to slash its platform-as-a-service bill by around three-quarters in the process. The move is part of a broader rethink of the agency's cloud estate following Broadcom's acquisition of VMware and the significant licensing cost increases that followed. Service NSW is one of Australia's most visible digital-government operations, handling driver's licences, business registrations, and COVID-related services for millions of residents. The departure adds to a growing list of Australian public sector organisations quietly re-evaluating VMware dependencies since the Broadcom deal closed.

iTnews

Apple Bets Privacy Will Save Siri — Auto-Deleting Chats Are the Opening Move

The revamped Siri expected to debut in iOS 27 will let users set chat histories to auto-delete after 30 days, one year, or keep them forever — a feature that no major AI assistant currently offers by default. The move is deliberate positioning: Apple is leaning into its privacy reputation as a differentiator in a market where OpenAI and Google are racing ahead on capability. It's an interesting strategic bet. Users who are anxious about AI companies retaining their conversations have a reason to stay in Apple's ecosystem even if Siri isn't the most capable chatbot. Whether that's enough to close the capability gap is a separate question.

The Verge

Australia Post Rebuilds Its IT Architecture Around 13 Platform Ecosystems

Australia Post's executive general manager of enterprise services, Michael McNamara, has outlined a significant restructuring of the organisation's IT estate — consolidating what was a sprawling mix of legacy systems into 13 defined "platform ecosystems." The approach reflects a broader shift in enterprise IT away from application-by-application management toward platform-level thinking, where shared capabilities (identity, data, integration) are owned centrally and business units build on top. For a logistics operator of Australia Post's scale — handling hundreds of millions of parcels annually — the architectural choices made now will shape resilience and security posture for a decade. McNamara discussed the roadmap in an iTnews podcast.

iTnews

AI at the Drive-Thru: McDonald's Pulled Out, but the Industry Is Doubling Down

McDonald's famously pulled its AI drive-thru ordering system in 2024 after a string of high-profile failures — orders for hundreds of McNuggets, bacon on ice cream, that sort of thing. But the broader fast-food industry hasn't given up. Wendy's, Taco Bell, and a growing list of regional chains are now deploying second and third-generation voice AI systems, with vendors claiming significantly improved accuracy. The Verge's Emma Roth traces the arc from McDonald's early stumble to where the technology sits today — less a novelty pilot and more a cost-driven operational bet as labour costs rise. The question is whether the accuracy improvements are real or just better-trained demo conditions.

The Verge

Eric Schmidt Booed Offstage by Graduates Who Aren't Sold on an AI Future

Former Google CEO Eric Schmidt was repeatedly booed during his commencement address at the University of Arizona after steering his speech toward the promise of artificial intelligence. The reaction was striking — not from protestors outside, but from the graduating class itself. Schmidt acknowledged the anxiety in the room, citing fears about job losses and a changing climate, but the crowd's response underscored a real and growing disconnect between tech industry optimism about AI and the people preparing to enter an AI-disrupted job market. It's one data point, but a vivid one: the message that AI is a tool of opportunity lands differently when you're the one whose opportunities it might be replacing.

The Verge

The Musk v. Altman Trial's Final Question: Is Sam Altman Trustworthy?

The closing stretch of the Elon Musk v. OpenAI trial zeroed in on a question that's less legal than it is philosophical: can Sam Altman be trusted to run a company nominally organised for the benefit of humanity while simultaneously pursuing enormous commercial returns? Musk's legal team argued that Altman's behaviour — from the November 2023 board drama to OpenAI's conversion away from pure non-profit status — represents a pattern of prioritising personal and commercial interests over the original mission. Altman's defence countered that the mission requires resources, and resources require revenue. The trial's outcome won't settle the question, but the public record it's produced is a detailed brief on the governance tensions at the centre of the AI industry.

TechCrunch

Eclipse Ventures on Why the Cerebras IPO Validated Its "Physical World" Thesis

Eclipse Ventures managing partner Lior Susan invested in Cerebras when betting on physical-world and industrial technology felt deeply unfashionable — this was the era of pure software returns and software margins. Cerebras's $5.5 billion IPO this month, which priced at double the initial range, has made that thesis look prescient. In a TechCrunch interview, Susan argues the $2.5 billion Eclipse made from the Cerebras exit is a proof point for a broader thesis: that the next decade of technology value will accrue to companies building at the intersection of hardware, software, and the physical world. That includes AI chips, robotics, and advanced manufacturing — all areas where capital has been scarce relative to software.

TechCrunch

UK's GDS Wades Into the NHS Open-Source Retreat — and the Debate Is Bigger Than It Looks

The UK's Government Digital Service has publicly pushed back on the NHS's recent move away from open-source software, a decision that drew criticism from the open-source community when it was announced. Simon Willison flagged the exchange, which touches on a tension that's playing out in public sector technology globally: open-source reduces vendor lock-in and licensing costs, but it also requires internal capability to maintain, secure, and extend. The NHS's retreat — and GDS's pointed response — is a live case study in the trade-offs. Australian government agencies face the same tension, and the Digital Transformation Agency has historically encouraged open-source adoption without mandating it.

Simon Willison

The AI Skills Arms Race Is Reshaping How Carmakers Hire

The automotive industry's transition to software-defined vehicles is creating a skills crisis unlike anything the sector has experienced before. TechCrunch Mobility reports that carmakers and their Tier 1 suppliers are now competing directly with Google, Meta, and OpenAI for machine-learning engineers, data scientists, and AI safety researchers — a competition they are structurally ill-equipped to win on compensation alone. The response has been a mix of acqui-hires, university partnerships, and internal retraining programmes, none of which are moving fast enough to match the pace of the technology shift. For a sector already under pressure from electrification capex and Chinese competition, the talent squeeze is adding another layer of strategic risk.

TechCrunch

Sources consulted