Red Hat GitLab Breach by Crimson Collective Exposes Sensitive Data and Credentials
Red Hat confirmed a significant security incident after hackers from a group calling themselves "Crimson Collective" breached the company's GitLab instance. The attackers reportedly exfiltrated nearly 570GB of data, including approximately 800 Customer Engagement Reports spanning from 2020 to 2025. These reports are believed to contain sensitive information such as infrastructure details, authentication tokens, database URIs, and other credentials that could potentially allow unauthorized access to customer networks. In addition to the reports, the attackers claim to have stolen 28,000 private repositories, which included credentials, CI/CD secrets, pipeline configurations, VPN profiles, and infrastructure blueprints. The breach has raised concerns about the exposure of confidential customer and internal Red Hat data, as well as the potential for downstream attacks leveraging the stolen information. Analysis of the leaked data suggests that the attackers obtained a wide array of sensitive materials that could be used for further exploitation or sold on underground forums. The incident highlights the risks associated with source code management platforms and the importance of securing CI/CD pipelines and repository access. Red Hat has acknowledged the breach and is conducting an internal investigation to assess the full scope and impact. The company is working with affected customers to mitigate risks and has likely initiated incident response protocols, including credential rotation and infrastructure reviews. Security experts warn that the exposure of such a large volume of sensitive data could have long-term repercussions for both Red Hat and its customers, especially if the information is weaponized by other threat actors. The breach underscores the need for robust access controls, regular security audits, and rapid response capabilities in managing source code and customer data. Industry observers are closely monitoring the situation for signs of further exploitation or public release of the stolen data. The incident serves as a stark reminder of the evolving threat landscape and the persistent targeting of technology vendors by sophisticated cybercriminal groups. Organizations are advised to review their own security postures, especially regarding third-party software providers and supply chain dependencies, in light of this breach.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Researchers publish findings on AI model loading security risks
A report highlighting security risks associated with loading AI models was published, warning that using a model can expose systems to attacker-controlled behavior or malicious payloads. The available references do not provide further dated milestones beyond the publication of the research coverage.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Red Hat GitLab Data Breach and Extortion by Crimson Collective and ShinyHunters
Red Hat, a leading enterprise software provider, confirmed a significant cyberattack resulting in unauthorized access to one of its GitLab instances. The breach was initially claimed by a hacking group known as Crimson Collective, who stated they had exfiltrated approximately 570GB of compressed data from Red Hat's internal development repositories. Among the stolen data were around 800 Customer Engagement Reports (CERs), which contain sensitive infrastructure and authentication details for numerous organizations across various sectors. Red Hat clarified that the compromised GitLab instance was used exclusively for Red Hat Consulting engagements, but the exposure of CERs poses a substantial risk to affected customers. Following the breach, Crimson Collective attempted to extort Red Hat, demanding a ransom to prevent the public disclosure of the stolen data. When Red Hat did not respond to these demands, Crimson Collective escalated their efforts by partnering with the ShinyHunters extortion group. ShinyHunters subsequently listed Red Hat on their newly launched data leak site, threatening to release the stolen data publicly if their ransom demands were not met by October 10th. The extortion campaign was further publicized through posts on Telegram, where the threat actors boasted about their alliance and intentions to target corporations. The incident highlights the growing trend of collaboration among cybercriminal groups to maximize pressure on victims and increase the likelihood of ransom payments. The breach also underscores the risks associated with third-party and internal development platforms, as attackers increasingly target these environments for valuable data. Red Hat's confirmation of the breach and the nature of the compromised data has raised concerns among its customers, particularly those whose sensitive information may now be at risk of exposure. The attack is part of a broader pattern of ransomware and extortion operations targeting high-profile technology companies. Security researchers have noted that the professionalization and convergence of cybercrime groups, as seen in this incident, are making such attacks more sophisticated and damaging. The Red Hat breach serves as a warning to organizations to strengthen their security posture around development environments and to prepare for the possibility of multi-stage extortion campaigns. The incident also demonstrates the importance of timely communication and transparency with affected stakeholders in the aftermath of a breach. As the deadline for the public release of the stolen data approaches, Red Hat and its customers face heightened risks of data exposure, reputational damage, and potential regulatory scrutiny. The evolving tactics of groups like Crimson Collective and ShinyHunters signal a challenging threat landscape for enterprises worldwide.
Mar 21, 2026
Nissan Customer Data Exposed via Red Hat GitLab Breach
Nissan Motor Co. confirmed that personal data of approximately 21,000 customers was compromised following unauthorized access to a Red Hat-managed server. The breach, detected in September, affected customers who purchased vehicles or received services at the former Nissan Fukuoka Motor Co. (now Nissan Fukuoka Sales Co.), exposing names, addresses, phone numbers, partial or full email addresses, and other sales-related customer information. No credit card or financial data was reported stolen, and Nissan has stated there is no evidence the leaked information has been misused, though customers are advised to remain vigilant for potential phishing or fraud attempts. The incident originated from a breach of a dedicated GitLab instance managed by Red Hat Consulting, with the intrusion detected by Red Hat on September 26 and Nissan notified on October 3. The Crimson Collective threat actor initially claimed responsibility for the theft of hundreds of gigabytes of data from 28,000 private GitLab repositories, with ShinyHunters later hosting samples of the stolen data on their extortion platform. Nissan has apologized for the incident and pledged to strengthen monitoring of subcontractors and enhance information security measures in response to the breach.
Mar 21, 2026
GitLab GraphQL API High-Severity Vulnerabilities and DoS Risk
GitLab has addressed two high-severity vulnerabilities in its GraphQL API, impacting both Community Edition (CE) and Enterprise Edition (EE) deployments. One of the vulnerabilities, tracked as CVE-2025-10004, allows unauthenticated attackers to launch denial-of-service (DoS) attacks by sending specially crafted GraphQL queries that request large repository blobs. This exploit can exhaust server resources, leading to severe performance degradation or complete unavailability of GitLab services. The vulnerability affects GitLab versions prior to 18.4.2, 18.3.4, and 18.2.8, and administrators are urged to upgrade to these patched versions immediately. The flaw is particularly critical for public-facing GitLab instances, as it does not require authentication to exploit, increasing the risk of opportunistic attacks. The CVE-2025-10004 vulnerability received a CVSS v3.1 base score of 7.5, underscoring its high risk to organizations relying on GitLab for source control and CI/CD pipelines. In addition to CVE-2025-10004, GitLab also patched other high-severity issues in the same update cycle, including vulnerabilities related to GraphQL authorization and JSON file uploads, both of which could also result in DoS conditions. GitLab.com and GitLab Dedicated customers were not affected by these vulnerabilities, as those platforms were either already patched or architecturally isolated from the exposure. The company responded promptly by releasing security updates and providing guidance for self-managed instance administrators. The vulnerabilities could have enabled attackers to disrupt development workflows, potentially creating further security risks during periods of downtime. Security professionals are advised to prioritize patching and to review their exposure, especially for internet-accessible GitLab deployments. The incident highlights the importance of timely vulnerability management in DevOps environments, where service availability is critical. GitLab's swift response and transparent disclosure have been commended by the security community. Organizations are also encouraged to monitor for unusual activity and to implement additional controls to limit the impact of potential DoS attacks. The vulnerabilities were discovered and reported through responsible disclosure channels, enabling GitLab to coordinate a secure and effective patch release. This event serves as a reminder for all DevOps teams to maintain up-to-date software and to stay informed about security advisories affecting their toolchains. The technical details of the vulnerabilities emphasize the need for robust input validation and resource management in API design. GitLab's handling of the incident demonstrates best practices in vulnerability response and communication.
Mar 21, 2026