Red Hat, the world’s leading enterprise open-source software provider, has officially confirmed a significant security incident involving unauthorized access to its internal GitLab instance used by the Red Hat Consulting team.
This confirmation comes after the threat actor group known as Crimson Collective claimed to have exfiltrated approximately 570GB of compressed data from 28,000 private repositories, marking one of the most substantial source code breaches in recent cybersecurity history.
Private GitLab Repository Compromised
The breach specifically targeted a GitLab environment utilized for Red Hat Consulting collaboration across select client engagements.
According to Red Hat’s official statement, the unauthorized third party successfully accessed and copied sensitive data from this instance before security teams detected the intrusion.
The company immediately launched a comprehensive investigation, revoked the attacker’s access, isolated the compromised instance, and contacted appropriate law enforcement authorities.
The stolen data allegedly encompasses a vast array of sensitive technical assets, including CI/CD secrets, pipeline configuration files, VPN connection profiles, infrastructure blueprints, Ansible playbooks, OpenShift deployment guides, container registry configurations, and Vault integration secrets.
Security researchers analyzing the claimed breach data have identified references to thousands of organizations across multiple critical sectors, including major financial institutions like Citi, JPMC, and HSBC, telecommunications giants such as Verizon and Telefonica, industrial companies including Siemens and Bosch, and even government entities like the U.S. Senate.
The breach represents a sophisticated supply chain attack vector that could potentially impact Red Hat’s extensive customer ecosystem.
The exposed repositories reportedly contain Infrastructure-as-Code (IaC) templates, DevOps automation scripts, and credential management configurations that adversaries could leverage for secondary infiltration attempts against Red Hat’s consulting clients.
The presence of SSH keys, API tokens, and database connection strings within the compromised data creates multiple attack vectors for threat actors seeking to establish persistent access to downstream systems.
Security experts warn that the leaked container registry configurations and Kubernetes deployment manifests could provide attackers with detailed blueprints for targeting cloud-native infrastructures across Red Hat’s client base.
The exposure of GitLab CI/CD runner configurations and automated deployment pipelines particularly concerns cybersecurity professionals, as these components often contain elevated privileges necessary for enterprise software deployment and management.
Red Hat has implemented additional hardening measures to prevent further unauthorized access and stated that preliminary analysis indicates no impact on their primary software supply chain or official software distribution channels.
However, the company continues conducting forensic analysis to determine the full scope of customer impact, with direct notifications planned for any affected Red Hat Consulting clients.
The incident remains unrelated to the recently disclosed CVE-2025-10725 vulnerability affecting Red Hat OpenShift AI services.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
