What started as cyber crew bragging has now been confirmed by Red Hat: someone gained access to its consulting GitLab system and walked away with data.

The IBM-owned open source giant said in a blog post on Thursday that "an unauthorized third party had accessed and copied some data from a Red Hat Consulting-managed, dedicated GitLab instance."

That wording aligns with boasts made earlier this week by a group calling itself the Crimson Collective, which claimed to have raided some 28,000 Red Hat repositories. In Telegram messages seen by The Register, the group claims to have stolen hundreds of Customer Engagement Reports, which typically contain architecture diagrams, configuration details, authentication tokens, and network maps.

Red Hat isn't saying what kind of data was taken, or whose it was. It has limited itself to stressing that the incident was confined to the consulting GitLab environment.

Red Hat also confirmed that it has "engaged leading security experts" and notified law enforcement – standard fare for any corporate breach disclosure. Beyond that, it's keeping schtum. There's no word on whether customers' materials were involved, whether client-specific repositories were exposed, or how exactly the intruders gained access.

That leaves plenty of unanswered questions. Consulting environments often contain more than just toy projects: documentation, integration scripts, and client configs can all end up in repos, and those can provide useful intelligence for future attacks. 

The Crimson Collective, meanwhile, is making as much noise as it can. The group has been touting samples of allegedly stolen Red Hat repositories, claiming a far bigger haul than Red Hat has acknowledged. The attackers, who shared samples of the allegedly stolen data with The Register, claim the stolen reports span 2020–2025 and involve major organizations in banking, telecoms, and government.

• Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files
• 'Delightful' root-access bug in Red Hat OpenShift AI allows full cluster takeover
• Red Hat back-office team to be Big and Blue whether they like it or not
• Red Hat sweetens the RHEL deal for biz devs – just don't put it in prod

The group also claims to have hit downstream Red Hat customers – claims that have prompted Belgium's national cybersecurity authority to sound the alarm. In an advisory on Friday, it warned of a "high risk... potential supply chain impact" and urged Belgian organizations to revoke and rotate all tokens, keys, and credentials shared with Red Hat or used in integrations.

"At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain," Red Hat spokesperson Stephanie Wonderlick told The Register.

Red Hat is equally silent on whether the intrusion involved ransomware or extortion. Unlike groups such as Clop, which specialize in double-extortion leaks, Crimson Collective has yet to establish much of a track record beyond bluster. For now, Red Hat has carefully avoided mentioning demands, negotiations, or the e-word.

The timing isn't great. Just a day before Crimson Collective's claims surfaced, Red Hat was already making headlines over a critical bug in OpenShift AI that required patching. The two issues are unrelated, but the optics of "new bug" followed by "GitLab breach" are less than flattering.

Red Hat has promised to "provide updates if we learn of significant new information." Until then, customers are left hoping that the incident really was as limited as the company insists. ®