`Grafana` GitHub Token Leak Led to Source Download and Extortion Attempt

A leaked GitHub token gave an unauthorized party access to source code. Treat repo tokens as production secrets; rotation and scope limits are cheap insurance.

[ KEY POINTS ]

The attacker accessed Grafana's GitHub environment and downloaded source code, turning a token leak into a data-extortion incident.
Grafana refused to pay the ransom under FBI guidance. Incident response needs a payment stance before pressure hits.
A single repo token can expose private code. Keep scopes narrow, rotate regularly, and remove long-lived tokens where possible.

Originalnews.hada.io/topic?id=29655Read original →

// related

#0001
#0001Infra & SaaS GeekNews6 hours ago
`Railway` Outage Resolved After `Google Cloud` Account Block
50radar
RailwayPaaS hosting platform — Git-based app deploys
A provider-level account block took the platform down broadly. Treat hosted PaaS as a dependency with vendor lockout risk, not just runtime uptime.
- Users hit no healthy upstream, unconditional drop overload, login failures, and dashboard access failures — control plane and runtime both degraded.
- The cause was a Google Cloud account block, so the failure sat below Railway’s own app layer. Status pages alone do not cover this risk.
- For revenue apps, keep DB backups, DNS escape routes, and deploy docs outside the platform. Recovery speed depends on prewritten exits.
Source: news.hada.io/topic?id=29725Read original →
FIG-0011:1
50radar
FIG-0011:1
#0002
#0002Infra & SaaS GeekNews6 hours ago
European Payment Apps Form Sovereign Network Against Card Giants
40radar
WeroEuropean payment service — account-based real-time transfers
National wallet systems are linking with Wero to keep payment flows inside Europe. No immediate checkout change, but EU-facing products should watch alternative payment methods.
- The alliance connects Bizum, Bancomat, MB WAY, Vipps MobilePay, and Wero, creating a 130M active-user payment bloc.
- The stated goal is payments that do not route through US servers. Data residency is becoming part of payment UX, not just compliance.
- Practical impact is not immediate. For EU sales, keep checkout abstraction flexible enough to add regional methods without a rewrite.
Source: news.hada.io/topic?id=29721Read original →
FIG-0021:1
40radar
FIG-0021:1
#0003
#0003Infra & SaaS Latent Space8 hours ago
`Railway` Pushes an Agent-Native Cloud Narrative
70radar
RailwayCloud PaaS — Git-based app deploys and infra management
Own-metal infra and heavy coding-agent spend point to a tighter cloud/dev loop. Worth watching if deploy workflows move from PRs to agent-driven changes.
- Railway claims 3M users and 100K signups per week; distribution now matters as much as hosting features.
- Own-metal data centers signal margin control, not just Heroku-style UX. That can shape pricing and latency later.
- $200K+ coding agent spend is a strong signal that internal engineering workflows are being rebuilt around agents.
- “Death of PRs” frames deployment as agent-native operations. Small teams should watch whether review, rollback, and audit trails keep up.
Source: www.latent.space/p/railwayRead original →
FIG-0031:1
70radar
FIG-0031:1

`Grafana` GitHub Token Leak Led to Source Download and Extortion Attempt

// related

`Railway` Outage Resolved After `Google Cloud` Account Block

European Payment Apps Form Sovereign Network Against Card Giants

`Railway` Pushes an Agent-Native Cloud Narrative