The frequent occurrences of cascading failures in power grids have been receiving continuous attention in recent years. An urgent task for us is to assess the vulnerability of power grids against various kinds of attacks, which trigger cascading failures. In this brief, we formulate a cost-constrained hybrid attack in power grids, where both nodes and links are targeted with a limited total attack cost. Based on the consequence and cost of removing a component (node or link), we propose an attack centrality metric for components, which can be either local or global depending on the depth of cascading failures. We further propose a greedy hybrid attack and another optimal hybrid attack by applying the attack centrality. Simulation results on IEEE bus test data demonstrate that the optimal attack is more efficient than the greedy one. Furthermore, we find, counterintuitively, that the local centrality based attack algorithms perform better than the global centrality based ones when attack cost is a concern. Our work can help in the robustness optimization of power systems by revealing the worst-case attack vulnerability and most vulnerable components.