Cybersecurity firm Trellix disclosed a data breach after attackers gained unauthorized access to a portion of its source code repository.
About Trellix
Trellix is a global cybersecurity company formed from the October 2021 merger of McAfee Enterprise and FireEye. The company serves over 50,000 business and government customers worldwide, protecting more than 200 million endpoints.
Breach Details
According to an official statement updated Monday, the company is investigating the incident with outside forensic experts. Trellix stated: "we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited."
The company has notified law enforcement but has not yet found evidence that threat actors exploited or altered the accessed source code. A Trellix spokesperson declined to provide additional details regarding detection timing, whether customer or corporate data was stolen, or if ransom demands were made.
RansomHouse Connection
The RansomHouse ransomware group claimed credit for the attack on Trellix, alleging access to sensitive portions of the company's development infrastructure. The group has been increasingly active in targeting technology and cybersecurity companies to maximize extortion leverage.
Industry Context
Trellix joins other cybersecurity firms recently breached:
- Checkmarx confirmed the LAPSUS$ group leaked stolen GitHub data
- Cisco revealed hackers breached its internal development environment and stole source code using compromised credentials from the Trivy supply chain attack
- HackerOne notified employees in March that attackers had stolen personal information via a Navia benefits administrator hack
Implications
A breach of a cybersecurity vendor's source code is particularly concerning. Attackers with access to defensive tool source code can analyze it to find blind spots, identify detection signatures to evade, and discover vulnerabilities in the products protecting millions of endpoints worldwide.