Approximately 570GB of compressed data, including private customer documents, were allegedly stolen by a hacker team that gained access to Red Hat's private GitHub repositories.

On Telegram, an extortion group identifying itself as "the Crimson Collective" claimed to have gained access to over 28,000 internal repositories and stolen hundreds of Customer Engagement Reports (CERs) from messages that The Register saw. These consulting documents, which are essentially a blueprint of a client's IT environment, often include network maps, authentication tokens, configuration information, and architecture diagrams.

File listings and samples of the purported loot have been made public by the attackers. They view materials such as database connection strings, configuration snippets, and references to customer systems that correspond to the type of content commonly found in CERs. The crew claims that the reports, which cover the years 2020–2025, include significant government, banking, and telecom companies.

The group claims that in addition to the documents, it discovered authentication tokens within reports and repositories, which it has already exploited to compromise downstream Red Hat customers.

The Crimson Collective posted on Telegram that they had, incidentally, obtained access to some of their clients' infrastructure and had warned them, but they chose to ignore them.

Questions about whether Red Hat has experienced a breach, how attackers might have obtained access, and whether the hackers have made any demands of it have not been answered as of this writing. The hackers say they contacted Red Hat with an extortion demand for merely a generic "submit a vulnerability report" response. Red Hat may or may not have alerted clients to the possibility of data exposure.

Internal repositories may contain sensitive metadata, test frameworks, and proprietary tooling, even though a large portion of Red Hat's source code is intentionally made public. Instead of being generic code artifacts, the CERs are of greater concern because they map out real-world infrastructure, giving attackers an advantage if they target those organizations. To exacerbate the situation, Red Hat is already being investigated for a serious flaw in its OpenShift AI platform. This vulnerability, which has a severity rating of 9.9, could give a low-privilege user the ability to escalate privileges and take complete control of the master nodes in a cluster. Although Red Hat acknowledged the problem in a security advisory, the company has not made any public statements regarding its exploitation.