Cyberdudebivash

GitLab Repository Breach Exposes Sensitive Data from Walmart, Red Hat, American Express, and HSBC

CYBERDUDEBIVASH

Author: CyberDudeBivash — cyberbivash.blogspot.com | Published: Oct 11, 2025

TL;DR

  • Red Hat has confirmed unauthorized access to a self-managed GitLab instance used by its consulting team; threat actors claim they exfiltrated a very large corpus of internal repositories and Customer Engagement Reports. 
  • Samples and reporting published by researchers indicate the stolen dataset contains consulting reports and configuration details referencing major organizations including Walmart, American Express and HSBC — this has triggered alerts and vendor outreach. 
  • Multiple extortion groups and leak sites have surfaced samples and are attempting to monetize the theft; affected organizations should operate under the assumption of possible exposure and follow an aggressive incident response playbook. 

What happened (short)

On and around Oct 1–3, 2025, a cybercrime group publicly claimed access to and exfiltration from a Red Hat Consulting GitLab instance. The actor(s) say they copied hundreds of gigabytes from tens of thousands of repositories, including Customer Engagement Reports (CERs) that can contain architecture diagrams, configuration snippets, and in some cases secrets or tokens used in project engagements. Red Hat confirmed unauthorized access to a GitLab instance and said it has isolated the system and launched an investigation. 

Who may be affected

Researchers and reporting indicate that the stolen materials reference many large enterprises and institutions. Media and intel vendors have called out organizations that appear in sample CERs, including Walmart, American Express and HSBC among others — note that third-party reporting is based on leaked samples and claimed victim lists, and Red Hat’s public statement is cautious while the investigation continues. Affected organizations should treat these reports seriously and assume material that mentions them may be in the wild. 

Why this sort of breach is dangerous

  • Rich reconnaissance data: CERs and consulting artifacts often include detailed network maps, device inventories, configuration backups, and recovery procedures that materially reduce the work an attacker needs to map a target environment.
  • Embedded secrets: historically, repositories used during consulting or migrations sometimes contain temporary credentials, API keys, or database URIs that — if not rotated — can be abused.
  • Supply-chain cascading risk: an attacker with intelligence from one vendor’s consulting reports can build targeted campaigns, pivot to vendor customers, or craft highly credible spear-phishing lures.

What we know so far — key verified / reported facts

  1. Red Hat confirmed unauthorized access to a self-managed GitLab instance used by its Consulting team and said it isolated the instance and launched an investigation. 
  2. Threat actors claim to have exfiltrated ~570 GB of compressed data spanning tens of thousands of repositories (public claims / samples circulated by multiple actor channels and intelligence vendors). 
  3. Samples published by leaking groups and vendor analyses show Customer Engagement Reports and consulting artifacts mentioning many large organizations, and multiple extortion sites have attempted to monetize samples. 
  4. Regulatory/industry advisories and member notices have been circulated to affected sectors advising aggressive monitoring and credential rotation.

Immediate actions for potentially impacted organizations (priority checklist)

Treat this as urgent if you appear in any leaked sample, or if you use Red Hat Consulting services and had access or engagement artifacts created during projects.

  1. Confirm exposure:
  2. Rotate credentials & secrets:
  3. Harden and monitor:
  4. Enforce MFA & step-up:
  5. Search & hunt:
  6. Preserve evidence & coordinate:

Hunting recipes — SIEM/EDR queries to adapt

Tune thresholds and fields to your environment. These are defensive templates to help find probable misuse of exposed artifacts.

# Example (Splunk) — look for new API keys or access keys being used
index=cloudtrail eventName=CreateAccessKey OR eventName=PutRolePolicy OR eventName=CreateServiceLinkedRole
| stats count by userIdentity.arn, eventName, sourceIPAddress, _time
| where _time >= relative_time(now(), "-7d")

# Example (Elastic) — suspicious console logins from new IPs
event.dataset: "aws.cloudtrail" AND event.action: "ConsoleLogin"
| where source.ip != geoip.location.ip AND user.name in ("list_of_service_accounts_or_usernames_from_CERs")

# Generic: search for reused service accounts or tokens across tenants (pseudo-SQL)
SELECT actor, COUNT(*) as uses
FROM auth_events
WHERE token_id IN (SELECT token FROM suspected_leak_tokens)
AND event_time > NOW() - INTERVAL '14' DAY
GROUP BY actor
HAVING uses > 3;

Longer-term remediation & supply-chain lessons

  • Secrets hygiene:
  • Encrypted artifacts & access controls:
  • SBOM & artifact transparency:
  • Contractual security SLAs:

What vendors and integrators should do now

  • Audit the consulting Git/CI/CD environment access logs and rotate any build/signing credentials that might have had access to the compromised instance.
  • Perform a comprehensive secret-scan of the exfiltrated repo set (and of current repos) and notify customers whose artifacts reference credentials or sensitive topology.
  • Offer targeted support to impacted customers: artifact mapping, privileged-key rotation, and hands-on threat-hunting assistance.
  • Publish clear guidance and indicators (without exposing further customer-sensitive material) so SOCs can triage quickly. 

Extortion & leak activity — what to expect

Multiple leak/extortion sites and groups have posted or offered samples of the stolen data and attempted to monetize the theft. That increases the likelihood that samples will be shared widely and that opportunistic attackers will try to weaponize extracted credentials or configuration details. Organizations should act quickly to contain and rotate exposed secrets and to harden access paths referenced in leaked artifacts.

Explore the CyberDudeBivash Ecosystem

Need rapid help responding to this incident? We offer:

  • Emergency IR coordination & forensic preservation
  • Secrets & key-rotation playbooks for cloud and on-prem environments
  • Tailored SIEM/EDR hunts and CER artifact mapping support

Read More on the BlogVisit Our Official Site

Selected sources & verification

  • Red Hat — public security notice on unauthorized access to a Consulting GitLab instance. 
  • GitGuardian, Anomali and vendor blogs — technical summaries of the claimed exfiltration and scope. 
  • Reporting aggregated by CybersecurityDive and others listing sample CERs that reference major organizations (Walmart, American Express, HSBC). 
  • Leak / extortion activity and vendor escalation reported by BleepingComputer and others; multiple extortion sites are circulating samples. 
  • Industry advisory notices and member guidance encouraging monitoring and credential rotation. 

Hashtags:

#CyberDudeBivash #RedHatBreach #GitLabBreach #SupplyChainSecurity #IncidentResponse #Walmart #AmericanExpress #HSBC

Leave a comment

Design a site like this with WordPress.com
Get started