Hackers from a group calling themselves Crimson Collective breached Red Hat’s self-hosted GitLab repository, stealing 570 GB of sensitive data from over 28,000 code repositories. The stolen files reportedly include access tokens, consulting project data, network audits, and customer engagement reports involving major clients such as Walmart, American Express, and HSBC.

Red Hat confirmed on October 2, 2025, that the breach affected a GitLab system used internally for consulting collaborations, containing materials like project specifications, code snippets, and limited business contact information. The company emphasized that GitLab’s own infrastructure was not compromised.

Crimson Collective, believed to have links to the Lapsus$ cybercrime group, demanded a ransom by October 10 and has since begun releasing some stolen data after Red Hat allegedly ignored its outreach. The group described itself as an extortion-for-profit operation.