Red Hat confirms security incident after claims of GitLab repository breach claims
Learn More
Red Hat has confirmed a security incident affecting its consulting business after the extortion group known as the Crimson Collective claimed to have breached the company's private GitLab repositories.
The attack allegedly occurred in late September 2025 and resulted in the theft of approximately 570GB of compressed data of 28,000 internal projects. This stolen data includs roughly 800 Customer Engagement Reports (CERs), which are consulting documents that contain sensitive information about client infrastructure and could be exploited to compromise downstream customer networks.
The Crimson Collective published evidence of the breach on Telegram on September 24, 2025, including a complete directory listing of the allegedly stolen GitLab repositories and a list of CERs from 2020 through 2025. According to the threat actors, they used authentication credentials embedded within Red Hat's code repositories and customer engagement reports, which they claim to have already used to gain unauthorized access to some of Red Hat's clients' infrastructure. The attackers attempted to extort Red Hat but reported receiving only a templated response directing them to submit a vulnerability report to the security team.
Red Hat acknowledged the incident in a statement to BleepingComputer, confirming that "Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps. The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain."
The company didn't address the claims made by the attackers about the scope of the breach or the volume of data stolen.
The compromised data allegedly includes:
- Credentials and authentication tokens
- CI/CD secrets and pipeline configuration files
- VPN connection profiles
- Infrastructure blueprints and architecture diagrams
- Database connection strings and full database URIs
- Container registry configurations
- Ansible playbooks and automation scripts
- OpenShift deployment guides
- Vault integration secrets
- Backup files and configuration templates
- Network maps and configuration details
The nature of the attack and the number of affected individuals is not disclosed.
The directory listings published by the attackers reference entities including Bank of America, T-Mobile, AT&T, Fidelity, Kaiser Permanente, Mayo Clinic, Walmart, Costco, Citi, Verizon, Siemens, Bosch, JPMorgan Chase, HSBC, Merrick Bank, Telstra, Telefonica, AXA, BBVA, BNP Paribas, BNSF Railway, Boeing, Capgemini, Cisco, Cummins, Deloitte, the U.S. Navy's Naval Surface Warfare Center, Federal Aviation Administration, House of Representatives, and the U.S. Senate.
Organizations that have engaged Red Hat's consulting services, should review their security posture, rotate all credentials and authentication tokens that may have been shared with Red Hat.
Correction: After publishing, Red Hat reported that the breach was on one of their GitLab instances, not GitHub. Title and story are updated.
Update - As of 7th of October 2025, Multiple ransomware groups including ShinyHunters, Crimson Collective, and Scattered Lapsus$ Hunters are collaborating to extort the entities whose engagement documents were stolen in the RedHat breach. The threat actors have leaked sample customer data and announced plans for future coordinated attacks.
