A hacking group calling itself the Crimson Collective claims to have breached Red Hat’s private GitHub repositories, stealing nearly 570GB of compressed data spread across over 28,000 internal projects. The group claims it accessed approximately 800 Customer Engagement Reports (CERs), internal consulting documents that often contain sensitive client information.
CERs are prepared by Red Hat consultants for clients and typically include infrastructure diagrams, configuration data, internal IP addresses, authentication tokens, and other details that, if exposed, could be used to compromise customer networks.
Red Hat has confirmed to BleepingComputer that it is aware of the reports of a security incident related to its consulting business but didn’t corroborate any of the hackers’ claims. The company said it had initiated remediation steps and said that the integrity of its software supply chain remains intact. It also said there is currently no indication that the breach impacts any other Red Hat services or products.
To back up their claims, the attackers released a complete directory listing of the stolen GitHub repositories and a list of CERs dated from 2020 to 2025 via Telegram. The organizations named in the exposed CER directory include Bank of America, T-Mobile, AT&T, Fidelity, Kaiser Permanente, Mayo Clinic, Walmart, Costco, the US Navy’s Naval Surface Warfare Center, the Federal Aviation Administration, and the US House of Representatives.
The Crimson Collective says it reached out to Red Hat with an extortion demand but received only an automated response directing them to submit a vulnerability report to the company’s security team. According to the group, the ticket they created was passed through various hands, including Red Hat’s legal and security departments, but was never addressed directly.
Previously, the Crimson Collective claimed responsibility for defacing a Nintendo topic page, briefly adding their contact information and a link to their Telegram channel.