Trellix Confirms Source Code Breach
▼ Summary
– Trellix disclosed on May 4 that unauthorized actors accessed a portion of its source code repository.
– The company stated there is no evidence that its source code release process was affected or that the code was exploited.
– Trellix, formed from the merger of McAfee Enterprise and FireEye, sells threat intelligence and AI-powered detection services.
– Security experts warn that access to source code gives attackers a roadmap to controls, detections, and build paths.
– The breach follows a pattern of supply chain attacks, with recent campaigns like TeamPCP targeting security scanners and potentially collaborating with extortion groups.
A major US cybersecurity vendor has confirmed that threat actors successfully accessed its proprietary source code, raising serious concerns about the potential fallout for its customers and the broader industry.
Privately held Trellix disclosed the breach on May 4, stating it has alerted law enforcement and is collaborating with “leading forensic experts” to determine the full scope of the incident. The company, formed from the 2021 merger of McAfee Enterprise and FireEye after their acquisition by Symphony Technology Group, specializes in threat intelligence, AI-powered detection and response, NDR, EDR, and data and email security.
“Trellix recently identified unauthorized access to a portion of our source code repository,” the firm said in a statement. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.”
The breach is particularly alarming given Trellix’s role as a security provider. Access to its source code could hand attackers a significant advantage, warned Isaac Evans, founder of software security firm Semgrep.
“For security companies, it can provide attackers with a roadmap to where controls live, how detections are written, and where trusted update or build paths may be exposed,” Evans said. “This recent pattern of targeting security vendors and software supply chains should have the full attention of defenders. Attackers are not only looking for customer data; they are looking for leverage. If they can understand defensive tooling from the inside, they can turn the software ecosystem itself into a delivery mechanism.”
Trellix has not disclosed who is responsible for the intrusion, and the company is keeping details close to the vest, saying only that it will share more information once the investigation concludes.
The incident comes amid a broader wave of supply chain attacks targeting security tools. Several vendors, including Aqua Security and Checkmarx, were recently compromised after a campaign that targeted the open-source scanner Trivy, exposing countless enterprise secrets. Google Cloud’s Wiz Security reported in late March that the TeamPCP group behind the Trivy campaign may be collaborating with the notorious extortion group Lapsus$ to monetize stolen credentials. There are also indications that TeamPCP is working with the Vect ransomware group to target victims of the Trivy campaign.
Evans stressed that the threat landscape has shifted. “Stolen tokens, CI/CD gaps, and overtrusted build workflows can let attackers move from one project to another, harvesting secrets and planting persistence along the way,” he said. “Organizations shouldn’t treat code repositories as just a place where code lives and is stored, but something that needs to be protected as attackers continuously find new ways to exploit and manipulate them.”
(Source: Infosecurity Magazine)
