Trellix Investigates Unauthorized Access to Internal Source Code Repository
Trellix disclosed that attackers gained unauthorized access to part of its internal source code repository and said it immediately engaged external forensic experts and notified law enforcement. The cybersecurity vendor reported that its investigation had found no evidence that the release or distribution pipeline was compromised, that customer-facing products were tampered with, or that the accessed code had been exploited in the wild, but the inquiry remains ongoing.
The incident is significant because Trellix is a major endpoint security and XDR provider formed from the merger of McAfee Enterprise and FireEye, with products used by governments and large enterprises. Public reporting said key details remain unclear, including the intruder's identity, the initial access vector, dwell time, which products or codebases were affected, and whether any additional data was exfiltrated; security observers warned that exposed source code can aid vulnerability discovery, reveal defensive logic, and create potential downstream supply-chain risk even without confirmed product compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Trellix says no evidence of pipeline compromise or product tampering
In its public disclosure, Trellix said its investigation had found no evidence that the source code release or distribution pipeline was compromised, that customer-facing products were tampered with, or that the accessed code had been exploited in the wild. The company said the investigation was ongoing and that it planned to share more technical details later.
Trellix engages forensic experts and notifies law enforcement
After discovering the intrusion, Trellix said it immediately brought in external forensic experts and notified law enforcement. These actions were part of its initial incident response.
Trellix discovers unauthorized access to internal source code repository
Trellix identified a security incident involving unauthorized access to a portion of its internal source code repository. The exact intrusion date is not provided in the references.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Trellix Source Code Breach: How Hackers Got in
hoploninfosec.com
Open sourceTrellix investigating breach of source code repository | Cybersecurity Dive
cybersecuritydive.com
Open sourceTrellix data breach: what happened and what's at risk | UpGuard
upguard.com
Open sourceTrellix Source Code Breach - Hackers Gain Unauthorized Access to Repository
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Trellix Confirms Source Code Repository Breach as RansomHouse Claims Responsibility
Trellix disclosed that attackers gained unauthorized access to part of its internal source code repository, prompting the cybersecurity vendor to engage external forensic experts and notify law enforcement. The company said its investigation has so far found **no evidence** that its source code release or distribution process was affected, that customer-facing products were tampered with, or that the accessed code has been exploited in the wild. Trellix has not publicly identified the intrusion method, the exact data accessed, the threat actor behind the breach, or how long the attackers maintained access, and said additional details will be shared after the investigation is complete. The incident drew heightened attention because Trellix is a major security supplier formed from the merger of McAfee Enterprise and FireEye, and compromise of a security vendor's code repository raises concerns about downstream supply-chain risk, exposed secrets, and insight into defensive logic. Days after the disclosure, the **RansomHouse** extortion group claimed responsibility and posted screenshots allegedly showing access to Trellix internal systems and dashboards, though it did not specify what data was stolen. Trellix has continued to state that there is no indication its build or software distribution pipeline was compromised, even as the breach is being compared with other recent source code and software supply-chain incidents affecting security vendors and platforms.
Jun 8, 2026
Target Investigates Alleged Source Code Theft and Restricts Enterprise Git Access
Target is responding to claims that attackers stole and are attempting to sell **internal source code and developer documentation** after a threat actor posted what appeared to be sample repositories on the public Git platform *Gitea*. The actor advertised the leak as a preview of a much larger dataset “to go to auction,” with `SALE.MD` files listing tens of thousands of paths (over 57,000 lines) and an alleged archive size of roughly **860 GB**; sample repository names included `Secrets-docs`, `GiftCardRed-giftcardui`, and `TargetIDM-TAPProvisioingAPI`. After media inquiries, the posted files were removed and Target’s internet-accessible developer Git endpoint (`git.target.com`) became inaccessible. Multiple current and former Target employees told reporters that the leaked materials appear authentic, citing matches to internal system names and deployment tooling (e.g., references to platforms such as **“BigRED”** and **“TAP [Provisioning]”**, Hadoop datasets, and a customized CI/CD stack based on *Vela*). Employees also pointed to references consistent with Target’s supply-chain/development infrastructure (e.g., *JFrog Artifactory*) and internal project identifiers (including “blossom IDs”). Internal communications shared with reporters described an “**accelerated**” security change that further restricted access to Target’s Enterprise Git server shortly after the alleged leak surfaced.
Mar 21, 2026
TeamPCP Compromised Trivy and Turned CI/CD Pipelines Into Credential Theft Channels
A supply-chain attack against Aqua Security’s **Trivy** ecosystem let attackers publish malicious artifacts and hijack GitHub Action tags, turning a widely used security scanner into a credential stealer. Reporting indicates the intrusion began with abuse of a misconfigured GitHub Actions workflow and theft of privileged credentials, followed by incomplete containment that left residual access in place. Attackers then poisoned **`aquasecurity/trivy-action`** by force-updating 75 of 76 tags, compromised **`setup-trivy`**, and published a backdoored **Trivy `v0.69.4`** release; later activity also pushed malicious Docker Hub images **`0.69.5`** and **`0.69.6`**. The malware harvested GitHub tokens, cloud credentials, SSH keys, Kubernetes secrets, Docker configs, and other CI/CD data from runners and developer environments, encrypted the loot, and exfiltrated it to attacker-controlled infrastructure or fallback GitHub repositories such as **`tpcp-docs`**. Researchers and vendor advisories linked the campaign to **TeamPCP** and described it as an expanding, multi-stage operation that also included a brief OpenVSX compromise of the Trivy VS Code extension, defacement of **44** repositories in Aqua Security’s internal **`aquasec-com`** GitHub organization, and follow-on compromises affecting Checkmarx tooling and the **LiteLLM** PyPI package. Aqua removed malicious artifacts, revoked tokens, restored safe references, and said commercial products were not affected, while GitHub and public advisories identified safe versions including **Trivy `0.69.2`/`0.69.3`**, **`trivy-action` `0.35.0`**, and **`setup-trivy` `0.2.6`**. U.S. CISA added **`CVE-2026-33634`** to the KEV catalog, and incident responders warned organizations that ran affected versions to assume full pipeline compromise, rotate all accessible secrets, audit workflow logs and GitHub activity, and pin GitHub Actions to immutable commit SHAs.
May 6, 2026