Trellix, a leading cybersecurity firm created from the merger of McAfee Enterprise and FireEye, has confirmed a breach in its source code repository. The RansomHouse group has claimed responsibility for this unauthorized access.
Details of the Security Breach
The breach, which was publicly revealed around May 2, 2026, involved unauthorized access to sections of Trellix’s source code. Upon discovering the breach, Trellix quickly collaborated with top forensic experts to investigate and also informed law enforcement agencies.
In a statement on their website, Trellix assured that the investigation so far shows no evidence of their source code release or distribution processes being impacted, nor any exploitation of their source code.
RansomHouse’s Involvement
RansomHouse, a notorious ransomware group, listed Trellix on its dark web leak platform, asserting that the breach took place on April 17, 2026. The group released several screenshots that allegedly show their access to Trellix’s internal systems and management interfaces. However, the total amount and nature of the data that was exfiltrated remain unspecified.
RansomHouse’s strategy of labeling the breach as “Evidence Depends on You” is a common pressure tactic to force negotiations before making the stolen data public.
Techniques and Implications
RansomHouse is recognized for its unique ransomware variant Mario ESXi, which is related to the leaked Babuk ransomware, and uses a tool known as MrAgent to target virtualized environments on Windows and Linux systems. This group often targets VMware ESXi infrastructure, exploiting weak domain credentials to gain access.
The group brands itself as a “professional mediator community,” often demanding payment for not releasing stolen data rather than for decrypting it.
Ongoing Investigation and Industry Impact
While Trellix continues to investigate the full scope of the breach, they have found no evidence of tampering with their software distribution pipeline or customer-facing products so far. The incident underscores a troubling trend where cybercriminals target vendors of cybersecurity solutions themselves, which can potentially have severe repercussions on global enterprise defenses if exploited.
