Trellix Confirms Source Code Repository Breach as RansomHouse Claims Responsibility
Trellix disclosed that attackers gained unauthorized access to part of its internal source code repository, prompting the cybersecurity vendor to engage external forensic experts and notify law enforcement. The company said its investigation has so far found no evidence that its source code release or distribution process was affected, that customer-facing products were tampered with, or that the accessed code has been exploited in the wild. Trellix has not publicly identified the intrusion method, the exact data accessed, the threat actor behind the breach, or how long the attackers maintained access, and said additional details will be shared after the investigation is complete.
The incident drew heightened attention because Trellix is a major security supplier formed from the merger of McAfee Enterprise and FireEye, and compromise of a security vendor's code repository raises concerns about downstream supply-chain risk, exposed secrets, and insight into defensive logic. Days after the disclosure, the RansomHouse extortion group claimed responsibility and posted screenshots allegedly showing access to Trellix internal systems and dashboards, though it did not specify what data was stolen. Trellix has continued to state that there is no indication its build or software distribution pipeline was compromised, even as the breach is being compared with other recent source code and software supply-chain incidents affecting security vendors and platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
RansomHouse publicly claims responsibility for Trellix breach
RansomHouse publicly claimed responsibility for the Trellix intrusion and posted Trellix on its Tor leak site. The group shared screenshots allegedly showing access to Trellix internal systems, adding a new attribution claim to the incident.
Infosecurity reports Trellix disclosed the breach on May 4
One report stated that Trellix disclosed on May 4 that threat actors had gained unauthorized access to part of its source code repository. The company was said to have notified law enforcement, engaged forensic experts, and found no evidence of source code exploitation or release-process impact.
Trellix discloses unauthorized access to part of source code repository
Trellix disclosed that attackers gained unauthorized access to a portion of its internal source code repository. The company said it engaged forensic experts, notified law enforcement, and found no evidence that its source code release or distribution process was affected or that the accessed code had been exploited.
RansomHouse says it breached Trellix on April 17
RansomHouse claimed the compromise of Trellix occurred on April 17, 2026. The group later alleged it had accessed internal services and management dashboards, though the exact data exfiltrated was not specified.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
RansomHouse says it breached Trellix and exposes internal systems
securityaffairs.com
Open sourceTrellix Breach - RansomHouse Claims Access to Parts of Source Code
cybersecuritynews.com
Open sourceTrellix Reveals Unauthorized Access to Source Code - Infosecurity Magazine
infosecurity-magazine.com
Open sourceTrellix Source Code Breach Highlights Growing Supply Chain Threats
darkreading.com
Open sourceTrellix Source Code Breach 2026: Repository Hack Confirmed
blog.cybernexora.com
Open sourceTrellix Source Code Breach - Hackers Gain Unauthorized Access to Repository
cybersecuritynews.com
Open sourceTrellix discloses the breach of a code repository
securityaffairs.com
Open sourceTrellix Confirms Source Code Breach With Unauthorized Repository Access
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Trellix Investigates Unauthorized Access to Internal Source Code Repository
Trellix disclosed that attackers gained unauthorized access to part of its internal source code repository and said it immediately engaged external forensic experts and notified law enforcement. The cybersecurity vendor reported that its investigation had found **no evidence** that the release or distribution pipeline was compromised, that customer-facing products were tampered with, or that the accessed code had been exploited in the wild, but the inquiry remains ongoing. The incident is significant because Trellix is a major endpoint security and XDR provider formed from the merger of McAfee Enterprise and FireEye, with products used by governments and large enterprises. Public reporting said key details remain unclear, including the intruder's identity, the initial access vector, dwell time, which products or codebases were affected, and whether any additional data was exfiltrated; security observers warned that exposed source code can aid vulnerability discovery, reveal defensive logic, and create potential downstream supply-chain risk even without confirmed product compromise.
May 25, 2026
TeamPCP Supply Chain Breaches Expand Into Ransomware-Linked OSS Campaign
TeamPCP has expanded a multi-ecosystem software supply chain campaign that compromised open-source security and developer tools including **Trivy**, **Checkmarx KICS**, **LiteLLM**, **Telnyx**, GitHub Actions, OpenVSX extensions, Docker images, and packages published through **PyPI** and **npm**. Reporting indicates the attackers used stolen developer and publishing credentials to push malicious releases through trusted channels, harvest environment variables, shell histories, cloud credentials, and GitHub tokens, and move laterally across CI/CD environments. In the Telnyx incident, valid credentials were reportedly used to publish malicious PyPI releases, with a second-stage payload hidden in a WAV file and code triggered on import. The campaign is now being linked to follow-on ransomware activity through an alleged partnership between TeamPCP and the **Vect** ransomware group, which has been advertised on BreachForums as an emerging ransomware-as-a-service operation. Researchers say the supply chain compromises may serve as initial access for extortion campaigns against downstream organizations, with TeamPCP reportedly recruiting negotiators after the Trivy breach and previously exfiltrating roughly **300 GB** of compressed credentials; the LiteLLM compromise alone was tied to hundreds of thousands of stolen credentials. The incidents underscore how compromised open-source tooling and CI/CD infrastructure can give attackers privileged enterprise access and create a path from package poisoning to ransomware deployment.
Jun 25, 2026
Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected. The disclosure follows reports that **LAPSUS$** listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and `MongoDB` and `MySQL` credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
May 12, 2026