Recent reports suggest that hackers have potentially compromised sensitive customer information from a Red Hat GitLab instance. A group identifying itself as the “Crimson Collective” has claimed responsibility, alleging they exfiltrated around 28,000 repositories that include client Customer Engagement Reports (CERs) and various details concerning client infrastructures.
A Red Hat representative confirmed to The Cyber Express that the organization is investigating these claims. The spokesperson stated, “We are aware of reports concerning a security incident tied to our consulting operations and are taking all necessary remediation steps. Ensuring the security and integrity of our systems and the data of our clients is our top priority. At present, we have no indication that this security issue affects any other Red Hat services or products, and we maintain confidence in the integrity of our software supply chain.”
Red Hat Acknowledges GitLab Intrusion
In a recent blog entry, Red Hat stated that it had detected unauthorized access to a GitLab instance that was used for internal collaboration in specific consulting engagements. The company has launched a thorough investigation, terminated the unauthorized access, isolated the affected instance, and alerted the relevant authorities. Additionally, they have rolled out extra security measures to fortify their systems.
According to the blog post, “Our ongoing investigation revealed that an unauthorized third party accessed and copied certain data from this instance.” The compromised GitLab repository included consulting engagement documents, which might consist of project specifications, example code snippets, and internal communications relating to consulting services. While the investigation is still in progress, Red Hat indicated that they have not identified any sensitive personal data among the compromised files at this time.
Red Hat also mentioned that they are proactively engaging with any clients who may be affected by this incident.
Although the Crimson Collective’s Telegram channel appears to have been removed, the posts were archived in Cyble’s threat intelligence database, and some cybersecurity researchers were able to capture screenshots along with lists of repositories purportedly connected to the breach.
Details of Allegedly Stolen Client Environment Data
In a post dated October 1, the Crimson Collective asserted, “More than 28,000 repositories were exported, which includes all their customers’ CERs and analysis of their infrastructure, plus other private repositories belonging to their developers—this will be interesting.” The hackers claimed that their demands for extortion had been overlooked by Red Hat.
The list of allegedly stolen repositories reportedly contains sensitive data from numerous well-known companies. Evidence suggests the files encompass significant information such as configuration registries, IT playbooks, cloud platform development files, AI project documentation, and various infrastructure details. Furthermore, the hackers also mentioned discovering authentication tokens within the repositories and claimed they have already utilized these tokens to compromise certain Red Hat customers.
While the claims from the hackers have yet to be substantiated, it is worth noting that this group recently took credit for defacing a Nintendo website, raising questions about their credibility.
Other Security Concerns at Red Hat
In separate security updates, Red Hat has recently acknowledged a vulnerability (CVE-2025-10725) in its OpenShift platform, which is designed to manage predictive and GenAI models within hybrid cloud environments. This Incorrect Privilege Assignment flaw carries a severity rating of 9.9. However, Red Hat has clarified that there have been no reports of this vulnerability being exploited, categorizing it as “Important and not Critical” due to the fact that it necessitates minimal authentication for a remote attacker to endanger a system.
Furthermore, Red Hat reiterated that the identified vulnerability (CVE-2025-10725) is unrelated to the ongoing investigation concerning the GitLab incident.
