Cyber Incident Victim: Trellix
Date:
May 2026
Location:
United States of America
Summary
Trellix disclosed that threat actors gained unauthorized access to a portion of its source code repository and notified law enforcement while working with forensic experts to determine the scope of the breach. The company stated that, based on its investigation to date, there is no evidence that its source code release or distribution process was affected or that the code has been exploited. RansomHouse ransomware group claimed responsibility for the intrusion, publishing screenshots that show access to internal services and management dashboards but did not specify what data was taken. Observers have noted a possible connection to recent supply chain attacks involving the hacker groups TeamPCP and Lapsus$, although the company has not confirmed any link.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 4, Trellix disclosed unauthorized access to a portion of its source code repository. The company said it had notified law enforcement and was working with leading forensic experts. Trellix stated that, based on its investigation to date, it had found no evidence that its source code release or distribution process was affected. It also said there was no evidence that its source code had been exploited. On May 5, InfoSecurity Magazine reported the breach. The article noted that Trellix is the company formed from the merger of McAfee Enterprise and FireEye in 2021 after acquisition by private equity firm Symphony Technology Group. It added that Trellix sells threat intelligence and AI‑powered detection and response services including NDR and EDR, as well as data security and email security. On May 8, SecurityWeek reported that the RansomHouse ransomware group had taken credit for the attack. RansomHouse posted the claim on its leak website and published several screenshots that appeared to show access to internal services and management dashboards. The group did not specify how much data it had stolen or the type of data taken.

The screenshots released by RansomHouse indicated that threat actors had gained visibility into Trellix’s internal services and management dashboards. RansomHouse did not claim to have encrypted files or issued a ransom demand in its statement. Trellix reiterated that its investigation had found no evidence that the source code release or distribution process was affected. It also said there was no evidence that the source code itself had been exploited. Isaac Evans, founder of Semgrep, warned that access to source code could give attackers a roadmap to where controls live, how detections are written, and where trusted update or build paths may be exposed. The article noted that this pattern of targeting security vendors and software supply chains should attract defenders’ attention. It referenced recent compromises of Aqua Security and Checkmarx after a software supply chain attack targeting the security scanner Trivy, which exposed numerous enterprise secrets. The article also mentioned signs that TeamPCP is working with the Vect ransomware group to target Trivy campaign victims. However, any connection between those incidents and the Trellix breach has not been confirmed. The lack of confirmed linkage means the Trellix incident remains under investigation regarding possible ties to broader supply chain activity.
Trellix said it is continuing to work with leading forensic experts and law enforcement to determine the full scope of the unauthorized access. The company stated it will share additional details once its investigation is complete. As of the latest reports, Trellix has not released further specifics about the data accessed, the attackers’ methods, or any impact on customers. No information has been provided about containment measures, remediation steps, or timeline for resolution. The investigation remains ongoing, and Trellix has not indicated when further updates will be expected.
