"Trellix recently identified unauthorized access to a portion of our source code repository," the company said in a May 1 statement — a terse admission that has now been followed by a public claim from a known extortion group.
RansomHouse claims and the leaked screenshots
Last week the RansomHouse threat group posted screenshots and a small set of images on its data leak site, saying the files proved access to Trellix's source code repository and the company's appliance management system. According to the threat actor, the intrusion occurred on April 17 and resulted in data encryption. BleepingComputer reported the publication but said it could not confirm the authenticity of the leaked material.
Trellix response and ongoing investigation
Trellix confirmed the breach on May 1 and said it immediately engaged "leading forensic experts to resolve it." The company also said it has notified law enforcement. In its public statement Trellix added: "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited." After RansomHouse's disclosure, Trellix told BleepingComputer it was "aware of claims of responsibility for the attack and are looking into it."
RansomHouse: tactics, tooling and a recent precedent
RansomHouse began operating in 2022 as a data-extortion operation that lists victims on a darkweb portal and leaks or sells data taken from corporate networks. Over time the group has added more advanced encryption utilities to its toolkit, including 'Mario,' described as performing a dual-encryption pass with two keys on target files, and 'MrAgent,' which automates deploys of encryptors on VMware ESXi hypervisors. A recent high-profile case attributed to the group involved Japanese e-commerce company Askul Corporation, from which RansomHouse said it stole 740,000 customer records and other sensitive information.
Timeline, scope and customer footprint
According to the reporting, RansomHouse states the intrusion date as April 17 and claims their activity included encryption of data. Trellix's public facts frame the company's scale: in 2025 Trellix had more than 53,000 customers across 185 countries and roughly 3,500 employees. Trellix has said the investigation is ongoing and that it will share further details as they become available.
How technologists, affected enterprises, and law enforcement are likely to respond
Technologists and security teams: Trellix says it engaged leading forensic experts and has found no evidence so far that source code distribution or release processes were affected. Security teams that use Trellix products will be watching for any further forensic findings or technical indicators that validate or contradict the company's initial assessment.
Affected enterprises and procurement leaders: Trellix's customer base includes global Fortune 100 customers and tens of thousands of other organizations across 185 countries. Those customers will want clear, credible updates about whether source code integrity or distribution channels were compromised and whether any product or supply-chain risk is identified during the investigation.
Law enforcement and forensic investigators: Trellix has notified law enforcement and is working with external forensic experts. Investigators will be evaluating both the authenticity of the published screenshots and any artefacts from a forensic review that corroborate RansomHouse's timeline and claims of encryption.
The facts in hand are crisp but limited: a denial of evidence to date from Trellix, a public claim and dated timeline from RansomHouse, and leaked screenshots that independent reporting could not verify. Trellix has promised more detail as its inquiry continues; until that forensic record is released, the key questions remain whether the leaked material is genuine and whether the company's assertion of no evidence of source code release or exploitation will hold up under independent review.
