"Trellix recently identified unauthorized access to a portion of our source code repository," the company said in an official statement, a short declaration that set in motion a forensic review and a notification to law enforcement.
Trellix's official statement and immediate response
The global cybersecurity company said it discovered unauthorized access to part of its source code repository and immediately engaged outside forensic experts to investigate. Trellix also notified law enforcement, and the company said it would "share further details as appropriate" once the investigation concludes. The same statement was provided to BleepingComputer when that outlet sought additional information.
The release reiterated that, "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited." Trellix adds that it is still investigating the matter.
Access to the source code repository: scope and findings
Trellix described the intrusion as access to "a portion" of its source code repository. Beyond that characterization the company has not publicly detailed which repository components were involved, how the access occurred, or when the activity was first detected. Trellix emphasized it has not yet found evidence that the threat actors exploited or altered the source code they accessed.
The company also noted its broader footprint: Trellix was formed by the October 2021 merger of McAfee Enterprise and FireEye, and the firm provides services to more than 50,000 business and government customers worldwide while protecting "more than 200 million endpoints." Those figures frame why any breach of a security vendor's development assets draws immediate attention.
BleepingComputer's follow-up and outstanding specifics
BleepingComputer asked Trellix several follow-up questions: when the incident was detected, whether attackers had also stolen corporate or customer data, and whether a ransom demand had been made. Trellix supplied the same official statement in response but has not replied to a subsequent email seeking further details about the security incident. The company said it intends to release additional information "as appropriate" at the close of its investigation.
Related vendor breaches: Checkmarx, Cisco, and HackerOne
Trellix's disclosure is one of several vendor incidents reported since the start of the year. Application security company Checkmarx confirmed last week that the LAPSUS$ hacking group leaked data stolen from its private GitHub repository. Cisco disclosed last month that attackers breached its internal development environment and stole source code using credentials compromised in a Trivy supply chain attack. In March, bug bounty platform HackerOne notified hundreds of employees that their personal information had been stolen after attackers targeted Navia, one of HackerOne's U.S. benefits administrators.
Those reports form a short but clear pattern in which development environments, private repositories, and third-party service relationships have been targeted or implicated in compromises.
What this means for business and government customers, security teams, and law enforcement
- Business and government customers: Organizations that rely on Trellix's services — the company says it serves more than 50,000 business and government customers and protects over 200 million endpoints — will be monitoring Trellix's investigation and any published indicators of compromise or mitigation steps. Trellix's repeated assurance that it has found no evidence of exploitation or distribution-impact so far will be weighed against the limited public detail available.
- Security teams and technologists: Engineers, incident responders, and product-security teams will expect forensic outputs from Trellix, including technical indicators and timeline information, both to validate Trellix's findings and to run defensive checks in their own environments. The involvement of external forensic experts signals a formal evidence-gathering effort that teams will watch for when assessing risk to deployed products and integrations.
- Law enforcement: Trellix has notified law enforcement, and that engagement will shape investigative and possibly cross-jurisdictional follow-up. Law enforcement involvement is now part of the public record in this case.
Trellix's disclosure adds to a string of high-profile incidents affecting development assets and third-party administrators this year. The company has stated it found no evidence of source-code exploitation so far and has engaged outside forensics and law enforcement, but key factual details — detection timing, exact scope of files accessed, and whether any corporate or customer data were taken — remain under investigation. Trellix says it will provide further details "as appropriate" after that work concludes.
