Hacker Group claims major theft of Red Hat repositories

A hacker group has claimed that they infiltrated a GitLab instance of American software company Red Hat and stole nearly 570GB of compressed data.

 

Recently, a group of threat actors going by the name Crimson Collective said it stole  nearly 570GB of compressed data across 28,000 internal development repositories. The stolen data included credentials, CI/CD secrets, pipeline configs, VPN profiles, and infrastructure blueprints.

 

 

According to International Cyber digest, the stolen files include thousands of repositories referencing major banks, telecoms, airlines, several public-sector organisations, including Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and the U.S. Senate.

 

Among the stolen data are nearly 800 Customer Engagement Reports (CERs), which often contain sensitive insights into a customer’s network and systems. These reports, typically prepared as part of consulting engagements, may include infrastructure diagrams, configuration details, access credentials, and other information that could be leveraged to infiltrate customer networks.

 

ICD added that the threat actor tried contacting RedHat, however, the company ignored them and stopped communication.

 

Acknowledging the reports of the data security incident, in a statement shared with BleepingComputer, Red Hat confirmed that the breach involved its GitLab instance used exclusively by Red Hat Consulting for client engagements — not its GitHub repositories.

 

“Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," Red Hat told BleepingComputer.

 

“The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain.”

 

Although Red Hat declined to answer further questions about the breach, the threat actors told BleepingComputer that the intrusion took place approximately two weeks ago.

 

According to the hackers, they discovered authentication tokens, full database URIs, and other sensitive information within Red Hat code and Customer Engagement Reports (CERs), which they claim were used to access downstream customer infrastructure. The group also published what appears to be a full directory listing of the stolen GitLab repositories, along with a list of CERs dating from 2020 to 2025, via Telegram.