RansomHouse Claims Trellix Source Code Access After Breach
Key Takeaways Cybersecurity vendor Trellix confirmed unauthorized access to a portion of its source code repository. The RansomHouse ransomware group claimed responsibility for the breach, which...
Key Takeaways
- Cybersecurity vendor Trellix confirmed unauthorized access to a portion of its source code repository.
- The RansomHouse ransomware group claimed responsibility for the breach, which reportedly occurred on April 17, 2026.
- Trellix states there is no evidence its software distribution process or customer-facing products were affected or that the source code has been exploited.
- RansomHouse displayed screenshots purportedly from Trellix’s internal systems, using its typical “Evidence Depends on You” tactic to pressure the victim.
Global cybersecurity giant Trellix, formed from the consolidation of McAfee Enterprise and FireEye, has acknowledged an intrusion into a segment of its source code infrastructure. The notorious RansomHouse ransomware collective has formally taken credit for the attack.
Trellix publicly disclosed the data breach, which involved unauthorized entry into a portion of its proprietary code repository, around May 2, 2026.
Upon detection of the unauthorized access, Trellix immediately enlisted leading forensic specialists to conduct a thorough investigation and has also alerted law enforcement agencies.
In an official statement released on its corporate website, Trellix affirmed: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.”
The RansomHouse ransomware group explicitly named Trellix on its dark web leak site, asserting that the compromise took place on April 17, 2026.
The group subsequently published several screenshots, which they claim demonstrate access to Trellix’s internal services and management dashboards. However, RansomHouse has not disclosed the specific volume or nature of the data allegedly exfiltrated.
Notably, RansomHouse characterized the breach status as “Evidence Depends on You.” This is a signature tactic employed by the group to exert pressure on victims, pushing them towards negotiation before publicly releasing any stolen data.
RansomHouse operates as a sophisticated ransomware-as-a-service (RaaS) operation, recognized for deploying a unique ransomware variant named Mario ESXi. This malware shares code lineage with the previously leaked Babuk ransomware source code. The group also utilizes a tool called MrAgent to target both Windows and Linux-based virtualized environments.
The group commonly targets VMware ESXi infrastructure, exploiting weak domain credentials and monitoring systems to achieve privileged access within compromised networks.
RansomHouse distinguishes itself by presenting itself as a “professional mediator community,” frequently demanding payment for data deletion rather than offering decryption services.
The comprehensive scope of the data exposure remains unconfirmed, and Trellix has not verified if corporate or customer data, beyond the source code, was also accessed during the incident.
Preliminary findings from Trellix’s investigation suggest no indication that the company’s software distribution pipeline or its customer-facing products were compromised or tampered with.
This incident underscores a growing trend where ransomware groups increasingly target cybersecurity vendors themselves. The potential weaponization of proprietary source code from such organizations could have profound and far-reaching implications for enterprise defenses globally.
What You Should Do
- Review and strengthen access controls, especially for source code repositories and critical internal systems.
- Implement multi-factor authentication (MFA) across all internal and external services.
- Regularly audit logs for unusual activity and unauthorized access attempts.
- Ensure robust endpoint detection and response (EDR) solutions are deployed and actively monitored.
- Conduct routine security awareness training for employees on phishing and social engineering tactics.
- Maintain comprehensive backups of critical data and regularly test recovery procedures.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.