Red Hat, a leading software company behind the enterprise Linux distribution, has confirmed that its GitLab instance, containing consulting engagement data, was compromised. Cybercriminals on Telegram claim they’ve snatched sensitive data about approximately 800 customers' networks.
-
Red Hat suffered a significant data breach. Attackers compromised a “specific GitLab environment used by the Red Hat Consulting team.”
-
The threat actor claims to have stolen 570.2 GB from over 28,000 repositories, including Customer Engagement Reports (CERs), exposing sensitive data from approximately 800 networks of major companies and organizations.
-
Red Hat is confident its software supply chain and products remain unaffected.
Little-known extortion group Crimson Collective posted claims that it gained access to over 28,000 Red Hat repositories, containing 570.2 GB in total. The extracted data allegedly includes around 800 Customer Engagement Reports (CERs), exposing sensitive customer information, such as their network configurations.
The hackers posted the claims on a Telegram channel created on September 24th, 2025. As proof, the cybercriminals provided the entire file tree, a list of allegedly stolen CERs, and some other screenshots.
Multiple channels on X reposted the contents of the exposed file tree, listing major companies and organizations.
According to International Cyber Digest, these include the National Security Agency (NSA), the Department of Energy, the National Institute of Standards and Technology (NIST), IBM, Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Telefonica, other major telecoms, banks, and many other organizations.
Hackers posted screenshots of file structures containing configuration files and tools such as server inventories, automation scripts (Ansible playbooks), OpenShift setup guides, code-deployment runners, VPN settings, container registry configs, secret-management links, backups, exported GitHub/GitLab repository configurations, and more.
“Source code and consulting engagement reports (CERs), if leaked, can help attackers analyze internal company infrastructure and software running on that infrastructure. This makes it significantly easier and faster to identify vulnerable attack vectors for potential attackers, “ said Aras Nazarovas, information security researcher at Cybernews.
‼️🚨 Red Hat breached: Crimson Collective stole 28k private repositories, including credentials, CI/CD secrets, pipeline configs, VPN profiles, and infrastructure blueprints.
undefined International Cyber Digest (@IntCyberDigest) October 1, 2025
Our analysis of obtained data: 👇 pic.twitter.com/ECMYLlHqyj
The stolen data might include authentication tokens with identifiers that might enable attackers to access other resources, such as databases, APIs, or sensitive information.
The hackers also claim that they’ve already gained access to some of Red Hat’s client infrastructure. Cybernews doesn’t have access to the allegedly leaked information and cannot independently verify the validity of the claims or the full scope of the alleged incident.
Red Hat: security incident affects one GitLab environment
Red Hat explains that the security incident solely relates to a specific GitLab environment used by the Red Hat Consulting team.
“The security incident we are investigating is related to a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub,” Stephanie Wonderlick, Red Hat’s VP of Brand Experience + Communication, said.
Red Hat also released a security update with additional details. The compromised GitLab instance is used for internal Red Hat Consulting collaboration in select engagements.
“We promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance,” Red Hat’s team said.
The consulting engagement data, housed in the compromised GitLab instance, may include Red Hat’s project specifications, example code snippets, and internal communications about consulting services. Bleeping Computer was the first to receive a confirmation from the company, saying Red Hat has “initiated necessary remediation steps.”
“This GitLab instance typically does not house sensitive personal data. While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time. We will notify you directly if we believe you have been impacted,” the post reads.
“The analysis is ongoing.”
Red Hat assures that it has no reason to believe that this security issue impacts any of its other services or products, including Red Hat’s software supply chain or software downloads on official channels. The team takes the security and integrity of the systems and the data “extremely seriously.”
“We are addressing this issue with the highest priority.”
The team also clarified that the security incident is unrelated to a recently unveiled critical vulnerability in Red Hat OpenShift AI (CVE-2025-10725). This vulnerability enables low-privileged attackers to escalate their privileges to a full cluster administrator and steal data, disrupt services, take control of underlying infrastructure, and completely compromise the cluster’s confidentiality, integrity, and availability.
The company did not address other hackers' claims that they allegedly received no response to their initial report/extortion attempts. Hackers also posted about their open ticket being assigned to multiple staff members, complaining about Red Hat ignoring them.
Updated on October 3rd [06:45 a.m. GMT] with a statement from Red Hat, additional information.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked