Trellix — source code repository breach, RansomHouse extortion claim

Cybersecurity vendor Trellix disclosed in early May 2026 that it had recently identified the compromise of “a portion” of its source code repository. The company’s public statement says it began work with leading forensic experts to resolve the matter immediately and has notified law enforcement. Based on the investigation to date, Trellix says it has found no evidence that its source code release or distribution process was affected, or that the source code itself has been exploited.

On 7 May 2026 the RansomHouse data-extortion crew listed Trellix on its leak site and claimed responsibility for the intrusion. The group published seven screenshots that, per Cybernews researchers who reviewed the material, suggest the access extends beyond a source code repository alone — frames showing what appear to be VMware vCenter consoles and internal dashboards. That is the gap between the official Trellix statement and the attacker narrative that any deep-dive will have to resolve.

RansomHouse launched in 2022 as a pure data-extortion crew and has since added encryption tooling to its arsenal, including the dual-key “Mario” encryptor and the “MrAgent” automation utility that targets VMware ESXi hypervisors at scale. The Trellix listing fits the crew’s established pattern of high-value technology-vendor targets and image-led proof-of-access leaks. Trellix EDR is widely deployed across UK financial services, which is the part of this story that warrants the most careful tracking as more becomes public.

A deep-dive will follow once the access chain into the source code repository is documented, the scope of the wider claimed internal access is independently verified or dismissed, and Trellix or its incident-response partner publishes a post-incident technical write-up.