Cybersecurity firm Trellix says attackers reached part of its source code repository

Trellix, the cybersecurity company formed from the 2022 merger of McAfee Enterprise and FireEye, disclosed Friday that attackers reached part of its source code repository. The company says it has 'no evidence' that source code releases were tampered with, that the source code itself was exploited, or that customer data was affected - but it has not said how long the attackers had access, who they were, or what they took. Trellix is now working with outside forensics firms and has notified law enforcement. Trellix sells endpoint protection, email security, and managed detection products to enterprise and government customers. The company has not given a timeline for further disclosure.

Check

If your organization uses any Trellix product, watch for unusual update patterns this week and avoid auto-updating until Trellix confirms the integrity of its release pipeline.

Affected

Trellix customers - enterprises and US government agencies that use Trellix endpoint, email, IPS, or managed detection products. Source code access doesn't automatically mean compromised products, but it's the starting position for finding new vulnerabilities. Defense and federal customers face higher residual risk pending Trellix's full disclosure.

Fix

Verify Trellix product update integrity by comparing checksums for any agent updated since the breach window. Hold non-emergency Trellix updates pending more clarity. For high-security environments, run Trellix in monitor-only mode for the next two weeks. Track Trellix's incident page directly and demand a written incident report within 30 days.