A cybercriminal gang has claimed to have stolen data from one of Red Hat’s GitLab instances, according to screenshots posted in Telegram channels.
Red Hat has confirmed cybercriminals breached a GitLab environment used by the Red Hat consulting team, but has not verified the claims made by the attackers.
The group, which calls itself the “Crimson Collective,” claims to have stolen 28,000 private repositories, including credentials, VPN profiles, and infrastructure blueprints, according to InternationalCyberDigest.
SOCRadar threat researchers allege that in a Telegram channel, the gang shared proof of the compromise, including Ansible playbooks, VPN settings, CI/CD pipeline runners, and server inventories.
“A total of 800+ customers may be impacted, based on the document listings,” SOCRadar said. “The exposed organizations include both commercial giants like IBM, Citi, Siemens, Bosch, and Verizon, as well as U.S. government agencies including the NSA, Department of Energy, NIST, and others.”
The group claims to have stolen nearly 570GB of compressed data in total, including allegedly 800 Customer Engagement Reports, which may contain sensitive information, BleepingComputer reports.
SOCRadar urges organizations to review engagements, check for exposed configurations, and rotate credentials as a precaution.
According to reports, the attackers contacted Red Hat with an extortion demand, which the company did not respond to.
The scope of the breach and whether any customers have been impacted is currently unconfirmed. In a statement, Red Hat did not verify the attackers’ claims and said that the exposed instance does not typically contain sensitive data.
“We recently detected unauthorized access to a GitLab instance used for internal RedHat Consulting collaboration in select engagements,” Red Hat said.
“Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities.”
“Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.”
Red Hat is currently working directly with customers who may have been impacted.
The breach is unrelated to a Red Hat OpenShift AI vulnerability (CVE-2025-10725), which was disclosed on October 2nd.
24-09-25 – Update – Crimson Collective has announced via Telegram that it has partnered with Scattered Lapsus$ Hunters—a notorious hacking collective made up of members of the Scattered Spider, Lapsus$, and ShinyHunters groups—to continue its extortion attempts against Red Hat via a newly-published ShinyHunters leak site.
Following the announcement, a Red Hat entry has been listed on the new extortion site, alongside a threat that the Crimson Collective would be releasing the stolen data on October 10th if Red Hat fails to negotiate their ransom demands with ShinyHunters.
Crimson Collective threat actors reportedly told Bleeping Computer that they would be collaborating with ShinyHunters on future attacks and releases.
Read More
