Trellix, a prominent cybersecurity vendor, has confirmed that threat actors successfully accessed portions of its source code repository in an incident disclosed May 4. The company, which was formed in 2021 through the merger of McAfee Enterprise and FireEye under private equity firm Symphony Technology Group, has notified law enforcement and engaged forensic experts to investigate the breach. Trellix provides threat intelligence, AI-powered detection and response services including network and endpoint detection, along with data and email security solutions.

According to the company's statement, investigators have found no evidence that the source code release or distribution process was affected, nor have they identified any exploitation of the stolen code. However, the investigation remains ongoing, and Trellix has declined to share additional details about the incident or the threat actors responsible until the investigation concludes.

Security experts warn that source code access to a cybersecurity vendor presents significant risks. Isaac Evans, founder of software security firm Semgrep, explained that such access provides attackers with detailed information about where security controls exist, how detection systems are written, and where trusted update or build paths might be vulnerable. This intelligence allows threat actors to understand defensive tools from the inside and potentially weaponize the software ecosystem itself as a delivery mechanism for attacks.

The incident follows a pattern of recent supply chain attacks targeting security vendors. Multiple companies, including Aqua Security and Checkmarx, were recently compromised through an attack on the security scanner Trivy, which resulted in the exposure of numerous enterprise secrets. Google Cloud's Wiz Security reported in late March that the TeamPCP group behind the Trivy campaign may be collaborating with the extortion group Lapsus$ to monetize stolen credentials, with additional signs pointing to cooperation with the Vect ransomware group.

Security professionals emphasize that organizations must treat code repositories as critical assets requiring robust protection, not merely storage locations. Stolen tokens, gaps in continuous integration and deployment pipelines, and overtrusted build workflows enable attackers to move laterally between projects, harvesting secrets and establishing persistence. The targeting of security vendors represents a strategic shift where attackers seek not just customer data but leverage over the entire security ecosystem.

Source: https://www.infosecurity-magazine.com/news/trellix-reveals-unauthorized/