Red Hat GitLab breach: what consulting deliverables exposed for IAM teams

TL;DR: Red Hat confirmed a breach of a consulting GitLab instance after attackers claimed access to nearly 28,000 private repositories and about 800 Customer Engagement Reports that could include tokens, database URIs, and environment details, underscoring how consulting artefacts become credential-rich attack paths. Static secrets and shared deliverables are the governance failure, not just the repository exposure.

NHIMG editorial — based on content published by Aembit covering the Red Hat GitLab consulting breach: Red Hat GitLab breach exposes how consulting repositories can become credential risk

By the numbers:

• GitHub alone reported more than 39 million secrets leaked across repositories in 2024.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

Questions worth separating out

Q: What breaks when consulting repositories contain live credentials?

A: When consulting repositories contain live credentials, they stop being documentation and become access infrastructure.

Q: Why do static NHI credentials increase third-party breach impact?

A: Static NHI credentials increase third-party breach impact because they persist beyond the moment of use.

Q: How do security teams know if consulting artefacts are outside governance?

A: Security teams know consulting artefacts are outside governance when deliverables contain tokens, secrets, database URIs, or access notes that were never meant to survive the engagement.

Practitioner guidance

• Audit consulting repositories for embedded credentials Scan GitLab, GitHub, and shared deliverable stores for tokens, keys, certificates, full URIs, and environment files.
• Remove live secrets from customer-facing reports Redesign Customer Engagement Reports so that diagrams and troubleshooting notes cannot carry operational tokens or reusable database connection details.
• Move delivery workflows to secretless access Use workload identity federation and just-in-time credentials for CI/CD and consulting activity so static tokens do not accumulate in repositories or report bundles.

What's in the full article

Aembit's full analysis covers the operational detail this post intentionally leaves for the source:

• Repository and engagement patterns that let consulting deliverables double as secrets stores
• Specific examples of how long-lived tokens move from GitLab and GitHub into customer environments
• The case for workload identity federation and just-in-time credentials in delivery workflows
• Practical steps for reducing exposure in CI/CD, partner access, and consulting handoffs

👉 Read Aembit's analysis of the Red Hat GitLab breach and consulting credential exposure →

Red Hat GitLab breach: what consulting deliverables exposed for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →