Cybersecurity vendor Trellix published a terse statement last Friday, disclosing that a threat actor recently gained unauthorized access to “a portion of our source code repository.” Trellix did not reveal what portion was compromised and provided few details about the breach.
“Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” the company said in its statement. “As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”
Trellix said it immediately began working with “leading forensic experts” to investigate the breach and also notified law enforcement. But many questions remain, including where the repository resides, how it was compromised, and who was behind the attack.
Dark Reading contacted Trellix for further comment but the company declined.
The Trellix breach is the latest supply chain attack impacting the cybersecurity industry. In March, a threat group known as TeamPCP compromised Trivy, an open source scanner maintained by Aqua Security, and KICS, an open source code analysis tool developed by CheckMarx.
In both attacks, TeamPCP actors targeted GitHub Actions workflows to push out poisoned versions of the open source tools. At this stage, there’s no indication that TeamPCP is connected to the Trellix breach, and no threat actor has claimed credit for the attack. But regardless of who the adversary is, source code breaches for security vendors can carry significant risk for downstream customers.
Security Supply Chain Mayhem
In the recent TeamPCP attacks, the threat group used the CI/CD secrets obtained in one repository breach to gain access to other organizations’ repositories, repeating the cycle several times throughout the ongoing campaign. CI/CD secrets can include credentials, SSH keys, release signing keys, and GitHub Action tokens.
TeamPCP isn’t the only threat group eyeing security vendors’ code; in October 2025, F5 Networks disclosed that a nation-state actor breached its product development environment and obtained sensitive data for the company’s flagship BIG-IP product line, including source code. And in 2022, both Okta and Lastpass suffered breaches in which threat actors gained access to product source code.
It’s unclear what effects Trellix’s breach may have on the company and its customers.
“The risk depends on what the attackers actually got and whether they could touch the build or release process,” Raphael Silva, researcher at Aikido Security, tells Dark Reading. “If it was read-only access to part of a repository, the main concern for the downstream customers would be if the same access also included any CI/CD access, signing keys, package publishing credentials, etc. Essentially, the ability to modify what gets shipped to the end users.”
Fortunately, based on what Trellix has shared so far, there’s no indication that the attackers gained that type of access, Silva says.
Still, a source code breach can provide a map of a security product’s layout, such as where controls are located and how detections are designed. Such information can give attackers a leg up, says Isaac Evans, founder and CEO of application security vendor Semgrep.
“Even though the breach has been detected, it may not be trivial to remove an attacker’s access,” Evans adds. “For instance, in the Aqua security [Trivy] breach from earlier this year, the initial defense response still allowed attackers to modify source code after the defenders were alerted.”
