Hackers may have stolen sensitive customer data from a Red Hat GitLab instance.
The Red Hat breach claims were made in Telegram posts by a group calling itself “Crimson Collective,” which said it exfiltrated 28,000 repositories, including client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure.
A Red Hat spokesperson told The Cyber Express that the company “is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps. The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain.”
Red Hat Acknowledges GitLab Intrusion
In a blog post late today, Red Hat said the company had detected unauthorized access in a GitLab instance used for “internal Red Hat Consulting collaboration in select engagements.” The company launched an investigation, removed the unauthorized access, isolated the instance, and contacted authorities. The company has since implemented additional hardening measures.
“Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance,” the Red Hat blog post said.
“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, and internal communications about consulting services,” the post said. “… While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time.”
Red Hat said it is “engaging directly with any customers who may be impacted.”
The Crimson Collective Telegram channel appears to have been taken down, but the content of the posts has been preserved in Cyble’s threat intelligence database, and some security researchers captured screenshots and file/repository lists of the group’s breach claims.
Red Hat Breach Files Allegedly Include Client Environment Data
One October 1 Telegram post by Crimson Collective claims that “Over 28000 repositories were exported, it includes all their customer’s CERs and analysis of their infra’ + their other dev’s private repositories, this one will be fun.”
The hackers claim that their extortion demands were ignored by Red Hat.
The list of allegedly stolen repositories includes potentially sensitive data from hundreds of companies, many of them well known. The files appear to include potentially sensitive data like configuration registries and code, IT playbooks, cloud development platform files, AI project-related files, network and infrastructure information, cloud and virtualization documentation, and more.
The hackers also claim that they found authentication tokens inside the repos – and they claim to have already used them to compromise Red Hat customers.
The hackers’ claims remain unverified, but the group recently took credit for defacing a Nintendo site.
In other Red Hat security news, the company recently reported a vulnerability (CVE-2025-10725) in its OpenShift platform for managing the lifecycle of predictive and GenAI models across hybrid cloud environments. The Incorrect Privilege Assignment flaw is rated 9.9, but there have been no reports of exploitation, and Red Hat classified the vulnerability as “Important and not Critical because it requires minimal authentication for the remote attacker to Jeopardize an environment.”
Red Hat said late today that CVE-2025-10725 did not play a role in the GitLab incident.
