Hackers claim to have breached a Red Hat GitHub instance and stolen sensitive customer data.
The claims were made in Telegram posts by a group calling itself “Crimson Collective,” which said it exfiltrated 28,000 repositories, including client Customer Engagement Reports (CERs) and other sensitive data about client infrastructure.
A Red Hat spokesperson told The Cyber Express that the company “is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps. The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain.”
The company added the incident under investigation “is related to a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub.”
The Crimson Collective Telegram channel appears to have been taken down, but the content of the posts has been preserved in Cyble’s threat intelligence database, and some security researchers captured screenshots and file/repository lists of the group’s breach claims.
Red Hat Breach Files Allegedly Include Client Environment Data
One October 1 Telegram post by Crimson Collective claims that “Over 28000 repositories were exported, it includes all their customer’s CERs and analysis of their infra’ + their other dev’s private repositories, this one will be fun.”
The hackers claim that their extortion demands were ignored by Red Hat.
The list of allegedly stolen repositories includes potentially sensitive data from hundreds of companies, many of them well known. Among the files are configuration registries and code, IT playbooks, cloud development platform files, AI project-related files, network and infrastructure information, cloud and virtualization documentation, and more.
The hackers also claim that they found authentication tokens inside the repos – and they claim to have already used them to compromise Red Hat customers.
The hackers’ claims remain unverified, but the group recently took credit for defacing a Nintendo site.
In other Red Hat security news, the company recently reported a vulnerability (CVE-2025-10725) in its OpenShift platform for managing the lifecycle of predictive and GenAI models across hybrid cloud environments. The Incorrect Privilege Assignment flaw is rated 9.9, but there have been no reports of exploitation, and Red Hat classified the vulnerability as “Important and not Critical because it requires minimal authentication for the remote attacker to Jeopardize an environment.”
