Trellix, a global cybersecurity company formed from the 2021 merger of McAfee Enterprise and FireEye, has confirmed that attackers gained unauthorized access to a portion of its source code repository.
The disclosure was made publicly on May 2, 2026, after the company identified the intrusion and engaged leading forensic experts to investigate. Law enforcement has also been notified. For a company whose entire business is built on keeping others secure, having its own source code stolen is the kind of incident that demands more than a short statement.
What Trellix Has Confirmed
Trellix’s official statement reads: “Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement. Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.”
The company is saying two distinct things. First, that someone got into the repository. Second, that there is currently no evidence the software build pipeline or any products shipped to customers were altered. Those are not the same claim, and the difference matters for anyone using Trellix products right now.
Trellix serves over 50,000 business and government customers worldwide and protects more than 200 million endpoints. That scale means even limited access to its internal code carries potential consequences that extend well beyond the company itself.
Who Is Behind It
5 days after the cyberattack, RansomHouse, a cybercrime group that launched in 2022 as a data-extortion operation, formally claimed responsibility by listing Trellix on its dark web leak site and publishing a set of screenshots as proof.
According to RansomHouse, the intrusion occurred on April 17 and resulted in data encryption. That would mean attackers were inside Trellix’s systems for roughly two weeks before the breach was discovered and disclosed.
RansomHouse operates using a ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent that automates the deployment of encryptors on VMware ESXi hypervisors. The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
On its leak site, RansomHouse listed the breach status as “Evidence Depends on You,” a tactic used to pressure victims into paying before any stolen data is released publicly. When BleepingComputer contacted Trellix after the group’s disclosure, the company said it was “aware of claims of responsibility for the attack and are looking into it,” stopping short of confirming a direct link between RansomHouse’s claims and its own investigation.
The Scope May Be Wider Than Source Code
Researchers from Cybernews who reviewed the screenshots published by RansomHouse say the breach may go further than source code exposure. The images show dashboards linked to several enterprise infrastructure platforms, including VMware, Rubrik, and Dell EMC systems, tools commonly used to manage data storage, IT infrastructure, and virtual machines.
According to the researchers, the screenshots suggest the attackers may have accessed broader operational infrastructure rather than isolated development repositories, noting that “these earlier-mentioned internal systems handle way more than just the source code of a launched product. They also flagged the risk to Trellix’s customers directly, stating that “the impact of this incident can extend to companies that use Trellix products, because these product databases could’ve been affected as well.”
Trellix has not publicly attributed the incident to RansomHouse. Claims involving ransomware deployment, enterprise-wide compromise, or customer data theft also remain unverified.
Why This Breach Carries a Particular Weight
Trellix emerged from a 2022 merger of McAfee Enterprise and FireEye, two names that have long been associated with cybersecurity defense. FireEye itself suffered a significant breach in 2020 when attackers stole its red-team tools, the very software used to test client defenses. The Trellix incident lands in that same uncomfortable category, where the tools and knowledge meant to defend others become the target.
Source code, specifically, is a high-value target. Source code repositories are prime targets for attackers seeking to identify exploitable vulnerabilities, embed backdoors, or conduct supply chain attacks against downstream customers. When that code belongs to a company whose products sit on 200 million endpoints globally, the question of what was accessed and what was done with it needs to be asked.
Trellix has said it will share more details once its investigation is complete. Given the scale of its customer base and the nature of what was stolen, that update will need to be far more detailed than what has been shared so far.
