Trellix disclosed on May 7 that an attacker accessed a "portion" of its source-code repository. The ransomware group RansomHouse claimed responsibility the same day, listing the company on its leak site. Trellix says it has "found no evidence that our source code release or distribution process was affected, or that our source code has been exploited."
Independent researchers at Cybernews who reviewed the leaked material assert the breach extended further — into critical VMware, Rubrik, and Dell EMC systems used inside Trellix's infrastructure.
The disclosure language is doing a lot of work here.
"No evidence that our source code release or distribution process was affected" is not the same as "no source code was accessed." The carve-out is specifically about whether the shipped product downstream of the source repository was tampered with. That matters because supply-chain integrity is what customers care about — if the build pipeline produced unaltered binaries, customers don't have a SolarWinds-style exposure even if the source itself was read.
"No source code has been exploited" tells you the company hasn't observed exploitation. It doesn't tell you whether the source code itself left the building. The careful reading is that Trellix is being careful not to lie, and the circumscribed language is what you write when the actual scope is still under forensic investigation and the legal team is in the room.
The Cybernews reporting about VMware, Rubrik, and Dell EMC access is the bigger concern. Those are infrastructure systems — backup, virtualization, storage — that sit one layer below the source-code repository. If the attacker reached those, they had administrative-level access to Trellix's internal IT environment, which suggests the source-code access was a downstream consequence of a wider compromise rather than a targeted theft. That changes the threat model considerably.
A more charitable read: ransomware groups have a strong incentive to overstate what they accessed in order to maximize extortion leverage, and Cybernews is reviewing material the attackers chose to publish. Trellix may be in possession of telemetry that legitimately bounds the scope to the source-code repository alone. Until the forensics report lands, both readings are defensible.
- Trellix has notified law enforcement and engaged third-party forensic experts — standard breach-response posture
- RansomHouse has been active throughout 2025–2026 with a pattern of source-code-targeted extortion; Trellix is among their highest-profile claims
- Trellix is a security company. The reputational damage compounds the technical damage — every customer's compliance team is now writing memos about whether to extend or cancel
If you're a Trellix customer, the action item isn't to rip out the product — it's to read the next forensic update carefully and verify your own incident-response runbook for "what if our security vendor is compromised." If you don't have that runbook, write it this week regardless of vendor.