The recent case in which 570 gigabytes of compressed Red Hat data were exfiltrated from 28,000 GitHub repos expanded Tuesday, as Crimson Collective and Scattered Lapsus$ Hunters reportedly leveraged the Shiny Hunters data leak site to apply more pressure on Red Hat.This incident dates back to Oct. 2, when Red Hat confirmed in a blog post it detected unauthorized access to a GitLab instance used for internal Red Hat Consulting activities.Red Hat said the compromised GitLab instance housed numerous consulting engagement reports (CERs), including project specifications, example code snippets, and internal communications about consulting services.“The Red Hat breach is escalating, with the notorious extortion group ShinyHunters now involved, threatening to leak stolen data from more than 28,000 internal repositories,” said John Carberry, solution sleuth at Xcape, Inc. “Security teams should immediately change any potentially compromised credentials, review access logs, and brace for follow-up attacks exploiting the leaked information. The volume and sensitivity of the data make this breach a major supply chain security threat.”Amir Khayat, co-founder and CEO at Vorlon, added that the Red Hat Beach represents a textbook SaaS ecosystem exposure amplified by an extortion‑as‑a‑service economy.“This breach moved from intrusion to extortion in less than a week,” said Khayat. “That speed exposes the new reality of SaaS: once data leaves a trusted boundary, attackers don’t need patience. They need partners. Extortion‑as‑a‑service means every overlooked repository or token can become tomorrow’s public crisis.”Khayat said teams with continuous, ecosystem‑wide visibility will detect and contain identity misuse fast enough to prevent the kind of cascading exposure that 28,000 repositories represent. Security teams should start by mapping every connected SaaS and developer platform, auditing and rotating tokens and secrets on a fixed schedule, and monitoring cross‑app data flows in real time, said Khayat.Jason Soroko, senior fellow at Sectigo, said the intrusion path in this case fits a familiar pattern that starts in a code platform and ends in customer environments. Attackers gained access to a self-hosted GitLab instance used by Red Hat Consulting and mined CERs and repos for hardcoded secrets including tokens and database credentials that opened doors into connected systems.“Reports that ShinyHunters has joined the extortion push point to a shift from pure theft to pressure-based monetization and suggest collaboration or affiliate overlap with the original operators since their social engineering and malicious OAuth expertise can amplify follow-on access and help convert stolen data into leverage,” explained Soroko. "Security teams should assume any secret shared with Red Hat Consulting or present in internal repos is burned and act immediately.”Soroko said teams should take the following steps;
- Rotate every API token service account key, SSH key database password, and signing key that could have touched those workflows and re-enroll developer access with hardware backed MFA.
- Launch continuous secrets scanning across all repositories, including docs and CERs and block any commit that contains credentials while invalidating stale OAuth grants and rebuilding from known good images and infrastructure as code.
- Reduce blast radius with short lived credentials least privilege scoped vault issued tokens and OIDC based workload identity and turn on detections for mass git clones unusual API reads new OAuth app consents and privilege spikes, backed by just in time admin and conditional access.
- Prepare for extortion by staging customer and regulator notifications standing up takedown and negotiation playbooks planting canary credentials to spot misuse and monitoring leak sites and marketplaces while coordinating rotation plans and attestations with affected partners.
