A hacking crew claims to have broken into Red Hat’s private GitLab repositories, exfiltrating some 570GB of compressed data, including sensitive documents belonging to customers. 

An extortion group calling itself “the Crimson Collective” posted on Telegram that it accessed more than 28,000 internal repos and stole hundreds of Customer Engagement Reports (CERs) in messages seen by The Register. These consultancy documents typically contain architecture diagrams, configuration details, authentication tokens, and network maps – effectively a blueprint of a customer’s IT environment. 

The attackers have published file listings and shared samples of the supposed loot. Materials seen by us include configuration snippets, database connection strings, and references to customer systems that match the kind of content typically found in CERs. The crew claims the reports span 2020–2025 and involve major organizations in banking, telecoms and government.

Alongside the documents, the group also asserts it found authentication tokens inside repos and reports, and says it has already used these to compromise downstream Red Hat customers. 

“Btw gained access to some of their client’s infrastructure as well, already warned them but yeah they preferred ignoring us,” the Crimson Collective wrote on Telegram.

At the time of writing, Red Hat has not responded to questions about whether it has suffered a breach, how attackers may have gained access, or whether it has received any demands from the hackers, who claim to have contacted Red Hat with an extortion demand to receive only a generic “submit a vulnerability report” style response. It is not known if Red Hat has notified customers of potential data exposure.

While much of Red Hat’s source code is public by design, internal repositories can include proprietary tooling, test frameworks, and sensitive metadata. The bigger concern lies with the CERs: rather than being generic code artefacts, these documents map out real-world infrastructure, providing attackers with a head start should they target those organisations.

To make matters worse, Red Hat is already under scrutiny for a critical bug in its OpenShift AI platform. The flaw, rated 9.9 in severity, could allow a low-privilege user to escalate privileges and seize full control of a cluster’s master nodes. Red Hat acknowledged the issue in a security advisory, but has not publicly confirmed whether it has been exploited. 

Until Red Hat comments, the full extent of this latest alleged breach remains unconfirmed. However, with file listings and samples already circulating, the incident has no doubt raised alarm among the open source giant’s enterprise users. ®