Red Hat, widely recognized as the world’s leading provider of enterprise open-source solutions, has confirmed a significant cybersecurity incident involving unauthorized access to an internal GitLab server used by its Consulting team.
The breach, now under active investigation, follows claims by the hacker group Crimson Collective, who allege they exfiltrated approximately 570GB of compressed data from over 28,000 private repositories. If accurate, this would mark one of the most substantial source code leaks in recent memory.
Red Hat Consulting GitLab Environment Is The Target
According to Red Hat’s official disclosure, the breach targeted a GitLab environment used for collaboration within Red Hat Consulting, supporting engagements with select clients. An unauthorized third party was able to access and extract data from the server before detection.
In response, Red Hat initiated a full-scale investigation, cut off attacker access, isolated the compromised system, and alerted the relevant law enforcement agencies. The company has since rolled out additional security hardening measures.
What Was Exposed?
Initial reports suggest the stolen data includes a vast trove of sensitive technical assets, such as:
- CI/CD secrets and pipeline configurations
- VPN profiles and infrastructure blueprints
- Ansible playbooks and OpenShift deployment guides
- Container registry configurations and Vault integration secrets
- SSH keys, API tokens, and database credentials
Security researchers examining the data found references to thousands of organizations, spanning multiple critical sectors. These include major financial institutions like Citi, JPMC, and HSBC, telecom giants such as Verizon and Telefonica, industrial leaders like Siemens and Bosch, and even U.S. government entities, including the U.S. Senate.
Potential Supply Chain Risks
The breach is being described as a supply chain threat, as many of the exposed repositories contain Infrastructure-as-Code templates, automation scripts, and configuration files that could be weaponized in secondary attacks.
Particular concern are:
- Kubernetes deployment manifests
- Container registry credentials
- GitLab CI/CD runner configurations
- Privileged deployment pipelines
These components often carry elevated access within enterprise environments, making them prime targets for lateral movement or persistent backdoor access.
Red Hat’s Response & Ongoing Investigation
Red Hat has emphasized that its main software supply chain and official distribution channels remain unaffected. The breach is not linked to the recent CVE-2025-10725 vulnerability involving OpenShift AI services.
While forensic analysis is still ongoing, Red Hat has committed to notifying any Consulting clients directly affected by the breach. The company continues to work with cybersecurity experts and authorities to fully understand the incident’s impact.
Add a Comment