Open-source software company Red Hat has confirmed a security breach on one of its GitLab instances after a threat actor claimed to have stolen nearly 570 GB of data from across various repositories.
“We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements,” the company stated.
Upon detecting the breach, Red Hat responded by isolating the breached GitLab instance, launching an investigation, terminating the threat actor’s access, and notifying the relevant authorities.
Red Hat claims security breach poses no supply chain risk
Red Hat says the security breach did not affect other products or the software supply chain, which could severely impact its downstream customers. It added that the breached GitLab instance was only used for its consulting business and that software downloaded from official channels was unaffected.
“At this time, we have no reason to believe this security issue impacts any of our other Red Hat services or products, including our software supply chain or downloading Red Hat software from official channels.”
Nevertheless, Red Hat says the security breach allowed the threat actor to access certain data, including code snippets, project specifications, and internal communications.
“Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.”
The IBM subsidiary also stressed that the affected GitLab instance does not store sensitive data, and its ongoing investigation has found no evidence that the security breach exposed personal information.
However, the attacker known as the Crimson Collective claims to have stolen 570 gigabytes of data from across 28,000 private repositories. The allegedly stolen source code also includes Customer Engagement Reports (CERs) containing sensitive customer and platform information.
While most Red Hat source code is publicly available, CERs contain infrastructure information, such as network architecture and system configuration details, authentication information, including credentials and security tokens, and operational insights, like troubleshooting information, that could undermine the security of downstream customers.
According to the attacker, the stolen data spans between 2020 and 2025 and affects critical sectors, including government, banking, and telecommunications. Companies seemingly affected include Bank of America, Fidelity, Kaiser, AT&T, T-Mobile, Costco, Walmart, Mayo Clinic, the House of Representatives, U.S. Naval Surface Warfare Center, and the Federal Aviation Administration.
The Crimson Collective also claims to have already exploited the stolen authentication tokens to compromise downstream customers.
“Btw gained access to some of their client’s infrastructure as well, already warned them but yeah they preferred ignoring us,” it stated.
The hacking group claims to have contacted Red Hat for ransom negotiations. However, the software giant allegedly replied with the generic “submit a vulnerability report” response, created a ticket, and kept assigning it to additional staff members from various departments.
Red Hat implemented security measures
Meanwhile, Red Hat has implemented additional security measures to harden its systems and prevent a similar security breach.
“We have now implemented additional hardening measures designed to help prevent further access and contain the issue.”
The company also clarified that the security breach was unrelated to the OpenShift AI vulnerability CVE-2025-10725 it had previously disclosed.
Nevertheless, it remains unclear how the threat actor breached Red Hat’s GitLab instance. Despite GitLab having disclosed security vulnerabilities CVE-2024-5655 and CVE-2024-6385, the attackers were unlikely to have breached the company’s infrastructure.
GitLab also confirmed that the data breach did not originate from its systems but from Red Hat’s self-hosted instance of the GitLab Community Edition, for which security is the user’s responsibility.
Subsequently, it advised self-managed GitLab users to apply the necessary software updates, security fixes, and configurations to prevent threat actors from breaching their development environments.

