Grafana discovered an uncomfortable truth this week: free software is beautiful, revolutionary, and liberating… right up until someone liberates your private code without permission.
For years, Grafana Labs built an identity around openness, community, and software freedom. In 2021, the company even relicensed core projects under AGPLv3 to “protect freedoms” and ensure modifications would also be shared.
Apparently, however, there was one small philosophical exception:
“Sharing code is good… except when it’s our enterprise code.”
Because yes: alongside the open source project, Grafana also sells proprietary enterprise features, closed plugins, and commercially licensed functionality.
Then the ideological miracle happened.
According to Grafana Labs, the breach involved a compromised GitHub access token that allowed attackers to access the company’s GitHub environment and download portions (and possibly the entirety) of its private codebase. The company stated that no customer data or production systems were affected, but confirmed that the attackers later attempted to extort Grafana in exchange for not releasing the stolen source code publicly. Grafana refused to pay the ransom and instead rotated credentials, launched a forensic investigation, and hardened internal security controls.
Suddenly, a company that spent years speaking the language of openness, collaboration, and digital freedom discovered there are subtle differences between “code wants to be free” and “the code generating millions in revenue would actually prefer to remain extremely private.”
The open source world, historically very enthusiastic about explaining that “information wants to be free”, suddenly faced a once-in-a-generation opportunity for doctrinal consistency.
If leaking corporate information is considered liberating when it happens to traditional companies… why not celebrate that Grafana itself has now become “more open source” than before?
Cynics might argue that the incident exposed the practical limits of AGPL idealism:
“If modifying software forces you to share your changes, then stealing the code directly just removes unnecessary steps.”
After all, Grafana publicly argued that AGPL helps preserve freedoms and prevents private appropriation of community software. Curiously, though, when the flow of openness reverses direction, from the company back toward the public internet, the philosophical enthusiasm seems to decline rather dramatically.
What makes the incident especially interesting is that the compromise appears tied to the modern CI/CD and GitHub Actions ecosystem itself, the same automation-heavy infrastructure many open source companies depend on to scale development. Security researchers pointed to GitHub workflow vulnerabilities and exposed automation tokens as a likely attack vector, highlighting how deeply the software supply chain now depends on ephemeral credentials, repository automation, and cloud-based developer tooling.
In other words, the breach was not merely philosophical irony; it was also a reminder that the infrastructure behind “open development” has become a major security surface of its own.
Within hours, thousands of developers rediscovered a fundamental law of the modern open source ecosystem: “Transparency is wonderful as long as it remains asymmetrical.”
The incident also highlighted another educational contradiction.
For years, parts of the FOSS ecosystem criticized permissive licenses for being “too corporate,” promoting more viral licenses like AGPL specifically to force companies to share modifications. At the exact same time, many modern open source companies quietly built enormous proprietary layers on top of that rhetoric: enterprise plugins, closed features, cloud lock-in, and commercial licensing tiers.
In other words:
“Software should be free.”
Some restrictions apply.*
*Please contact sales for additional freedoms.
