Emerging ThreatsData Breaches

Trellix Breach Exposes Source Code to Threat Actors

Analyst 207||Source: InfoSecMag
Rows of computer servers in a dimly-lit data center represent a vulnerable cybersecurity setting.

"Trellix recently identified unauthorized access to a portion of our source code repository," the company said on May 4, a terse admission that confirmed a breach of internal development assets at one of the better-known vendors in U.S. cybersecurity.

Trellix: what the company disclosed on May 4

Privately held Trellix said on May 4 that it had identified unauthorized access to part of its source code repository, has notified law enforcement, and is "working with leading forensic experts" to determine the scope and cause of the incident. The company added that "based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited." Trellix — formed from the merger of McAfee Enterprise and FireEye in 2021 after acquisition by private equity firm Symphony Technology Group — sells threat intelligence and AI-powered detection and response services including NDR and EDR, as well as data security and email security.

Why access to source code matters — Isaac Evans, Semgrep

Security practitioners warned immediately about the implications. "For security companies, it can provide attackers with a roadmap to where controls live, how detections are written, and where trusted update or build paths may be exposed," said Isaac Evans, found of software security firm Semgrep. Evans added that the recent pattern of targeting security vendors and software supply chains demands attention because "attackers are not only looking for customer data; they are looking for leverage. If they can understand defensive tooling from the inside, they can turn the software ecosystem itself into a delivery mechanism."

Evans also highlighted specific technical vectors that can follow from repository access: "Stolen tokens, CI/CD gaps, and overtrusted build workflows can let attackers move from one project to another, harvesting secrets and planting persistence along the way." Those are the mechanics, he warned, that make code repositories more than passive storage and into potential pathways for later compromise.

Connections to the Trivy supply chain campaign and TeamPCP

The Trellix disclosure arrives amid a string of incidents tied to software supply chain exploitation. Several vendors, including Aqua Security and Checkmarx, were compromised after a campaign targeting the security scanner Trivy, which exposed "countless enterprise secrets." Google Cloud's Wiz Security reported at the end of March that the TeamPCP group behind the Trivy campaign may be collaborating with extortion group Lapsus$ to monetize stolen credentials, and that there are signs TeamPCP is working with the Vect ransomware group to target Trivy campaign victims.

Trellix has not linked its incident to Trivy, TeamPCP, Lapsus$, or Vect. The company said only that details will be shared once the investigation is complete and attribution is not currently public.

How Trellix is responding

Beyond notifying law enforcement and engaging forensic experts, Trellix has been "keeping tight lipped" publicly and says it will provide further information when the investigation concludes. The company's public statements emphasize an absence, to date, of evidence that release or distribution processes were affected or that the accessed source code has been exploited.

That posture — limited disclosure while forensic work continues — leaves a defined set of short-term actions visible in the record: forensic analysis, law-enforcement notification, and a pledge to update customers and the public after the investigation completes.

What this means for security teams, Trellix customers, and threat actors

  • Security teams and technologists: Evans' comments underline the operational risk from repository access — attackers can map detection logic and build chains. Teams maintaining CI/CD and token hygiene will be watching for signs of lateral use of stolen credentials or injected persistence in build workflows.
  • Trellix customers and procurement leaders: Buyers of Trellix NDR, EDR, data and email security tools will look for follow-up information from the vendor about whether update, release, or distribution mechanisms were impacted and whether any mitigations are required.
  • Threat actors and extortion groups: The broader context supplied in reporting about Trivy and TeamPCP shows existing adversary behavior that seeks to monetize stolen credentials and to chain supply-chain compromises into extortion or ransomware activity — patterns that make source-code access a potentially valuable lever.

The immediate record is compact: Trellix confirmed unauthorized access to part of a source code repository, engaged law enforcement and external forensics, and reported no current evidence of exploitation or affected release pathways. Attribution remains open, and the company says it will publish more when its investigation concludes — leaving customers, defenders, and the broader security community to watch for the forensic findings and any technical indicators the vendor releases.

Original report

Breach NotificationEmerging ThreatsForensic AnalysisIncident ResponseSoftware Supply ChainThreat ActorsUnauthorized AccessTrellix BreachSource Code ExposureCybersecurity Vendor
Related Intelligence

Continue Reading

Medical equipment and a computer terminal sit on a cluttered counter in a hospital setting.

Ransomware Gang Disables Security Software with GentleKiller Framework

Meet GentleKiller, a sneaky framework that helps ransomware gangs disable security software by targeting over 400 processes across 48 security products at the kernel level, allowing them to run unchecked. This sinister tool uses a "bring your own vulnerable driver" technique to terminate protections and clear the way for ransomware attacks.

Analyst 207
Concerned customers and staff in a utility company's office with scattered papers and a blurred computer screen.

London Hydro Data Breach Exposes Customer Information

London Hydro recently suffered a data breach that may have compromised personal info for over 160,000 of its customers in and around London, Ontario, leaving many with unanswered questions about the security of their data. The utility company has started notifying affected customers and is investigating the incident.

Analyst 207
Cramped, dimly lit room with cluttered desk, laptop, and scattered papers, surrounded by old computer equipment.

Threat Actors Monetize Stolen Credentials with Searchable Underground Services

Cybercriminals are cashing in on stolen credentials with a new breed of underground services that allow buyers to search and purchase specific, verified login details. This emerging market acts as a middleman between hackers who steal sensitive info and those who want to use it to take over accounts.

Analyst 207
Laptop screen shows fake Node.js download page on Google Ads against blurred cityscape.

Malicious Google Ads Deliver CastleStealer via New OXLOADER Malware

Beware of malicious Google ads that can deliver CastleStealer via the new OXLOADER malware, which has shown impressive engineering skills and is worth keeping an eye on. Victims are tricked into downloading fake Node.js versions through ads masquerading as legitimate sources.

Analyst 207