Hundreds of GB Stolen from GitHub in Red Hat Breach – Infrastructure of Major Corporations and Government Agencies at Risk
The attackers tried to negotiate a ransom, but the company subjected them to a bureaucratic nightmare.
The attackers tried to negotiate a ransom, but the company subjected them to a bureaucratic nightmare.
Red Hat, an American provider of enterprise solutions based on Linux, confirmed a cybersecurity incident shortly after a group calling itself Crimson Collective claimed to have stolen nearly 570 GB of data from the company's private GitHub repositories.
The hackers claim they gained access to 28,000 internal projects, among which are approximately 800 Customer Engagement Reports (CERs) containing detailed information about client network infrastructure, their system configurations, authorization tokens, and other sensitive data. Such documents are used in consulting projects and could directly threaten the security of corporate networks.
In a statement, Red Hat confirmed the incident but declined to provide details regarding the stolen data. The company noted that the issue affected its consulting business and did not impact its other services or products. Red Hat emphasized its confidence in the integrity of its software supply chain and reported implementing measures to address the consequences.
In correspondence with BleepingComputer journalists, Crimson Collective insisted that the tokens and databases found in the code and reports allowed them to infiltrate the infrastructure of some clients. To support their claims, the malicious actors published a complete list of the stolen repositories and CER reports, dated from 2020 to 2025, on Telegram. Among the mentioned organizations are Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Federal Aviation Administration, the House of Representatives, and the Naval Surface Warfare Center.
According to the hackers themselves, the intrusion occurred approximately two weeks ago. They claim to have tried to contact Red Hat and make a ransom demand but received only an automated response suggesting they submit a message to the security team via a standard vulnerability reporting form. The attackers allege that their request was then repeatedly redirected between the company's legal and information security department employees.
Simultaneously, the group claimed responsibility for a recent attack on the Nintendo website, where one of the pages temporarily displayed the hackers' contact information and links to their Telegram channel. This reinforced suspicions that Crimson Collective aims to use high-profile targets not only for extortion but also to draw attention to their data distribution channels.
