trellix - TrustStrike Labs

breach

2026-05-08

RansomHouse claims the Trellix breach and posts screenshots showing it reached internal VMware, Rubrik, and Dell EMC dashboards - far more than the 'small portion of source code' Trellix originally disclosed

Update on the Trellix breach we covered May 2: RansomHouse claimed the attack on its leak site Thursday and published screenshots that suggest the intrusion reached well beyond the source code repository Trellix originally acknowledged. Cybernews researchers reviewed the dumped images and identified internal dashboards for VMware vCenter, Rubrik backup, and Dell EMC storage - the systems that hold backups, credentials, and virtual machine images for the entire company. RansomHouse says the intrusion happened April 17 and resulted in data encryption. Trellix told BleepingComputer it's 'aware of claims of responsibility' and looking into them. RansomHouse currently lists 170+ victims on its Tor leak site.

trellix ransomhouse follow-up vmware-vcenter rubrik dell-emc extortion mario-encryptor mragent esxi cybernews-analysis scope-expansion

Check: If your organization runs Trellix endpoint, IPS, ePolicy Orchestrator, or email security, audit checksums of every Trellix update installed since April 17. Hunt for unusual outbound traffic from Trellix product hosts.
Affected: Trellix customers - 53,000+ enterprises and government agencies in 185 countries protecting 200M+ endpoints. Acute risk: organizations relying on Trellix for backup integrity (Rubrik exposed) or VMware management (vCenter exposed). Defense and federal customers face higher residual risk pending Trellix's full incident report.
Fix: Hold non-emergency Trellix product updates until Trellix releases a written incident report with concrete scope. Verify checksums for every Trellix agent updated since April 17 against Trellix's published values. Treat any Trellix-issued credentials, API tokens, or signing certificates from before April 17 as potentially compromised and request rotation. Demand a written incident report within 30 days.

breach

2026-05-02

Cybersecurity firm Trellix says attackers reached part of its source code repository

Trellix, the cybersecurity company formed from the 2022 merger of McAfee Enterprise and FireEye, disclosed Friday that attackers reached part of its source code repository. The company says it has 'no evidence' that source code releases were tampered with, that the source code itself was exploited, or that customer data was affected - but it has not said how long the attackers had access, who they were, or what they took. Trellix is now working with outside forensics firms and has notified law enforcement. Trellix sells endpoint protection, email security, and managed detection products to enterprise and government customers. The company has not given a timeline for further disclosure.

trellix source-code-breach cybersecurity-vendor mcafee-enterprise fireeye developing-story supply-chain-risk

Check: If your organization uses any Trellix product, watch for unusual update patterns this week and avoid auto-updating until Trellix confirms the integrity of its release pipeline.
Affected: Trellix customers - enterprises and US government agencies that use Trellix endpoint, email, IPS, or managed detection products. Source code access doesn't automatically mean compromised products, but it's the starting position for finding new vulnerabilities. Defense and federal customers face higher residual risk pending Trellix's full disclosure.
Fix: Verify Trellix product update integrity by comparing checksums for any agent updated since the breach window. Hold non-emergency Trellix updates pending more clarity. For high-security environments, run Trellix in monitor-only mode for the next two weeks. Track Trellix's incident page directly and demand a written incident report within 30 days.