Trellix
RansomHouse breached the cybersecurity firm protecting 200 million endpoints and walked out with source code from their security tool repositories.
What happened?
On May 7, 2026, RansomHouse claimed responsibility for compromising Trellix's source code repository. Eight days later, on May 15, Trellix confirmed the breach, acknowledging that attackers gained unauthorized access to their code repositories containing source code for security tools. Trellix was formed from the 2022 merger of McAfee Enterprise and FireEye products, creating one of the largest cybersecurity firms protecting over 50,000 business and government customers and securing more than 200 million endpoints worldwide.
What data was actually inside?
Source code for security tools. Not customer data, not endpoint telemetry, not threat intelligence feeds—the actual code that powers their detection engines, threat hunting capabilities, and endpoint protection systems. This is the intellectual property that defines how Trellix products identify malware, detect intrusions, and respond to threats.
For a cybersecurity company, source code repositories contain the algorithms that distinguish malicious from benign, the heuristics that catch zero-days, and the logic that determines when to alert versus when to block. Every detection rule, every evasion technique they've discovered, every proprietary method they've developed—all documented in code.
Who gets hurt and how?
The 50,000+ businesses and government agencies running Trellix security tools across 200 million endpoints. When attackers have your security vendor's source code, they can reverse-engineer detection logic, identify blind spots, and craft attacks specifically designed to evade those defenses.
This isn't theoretical. With source code access, attackers can test malware variants until they find combinations that slip past detection engines. They can identify which API calls trigger alerts, which behaviors get flagged, and which techniques remain invisible. Every customer running Trellix protection now faces adversaries who have read the implementation details of their security stack.
What did they think they were doing right?
Trellix is a cybersecurity company. They were born from the merger of McAfee Enterprise and FireEye—two companies with decades of security expertise. They have threat intelligence teams, incident response capabilities, and security operations centers. Their entire business model depends on protecting organizations from exactly this type of compromise.
Code repositories were supposed to be secured with access controls, authentication requirements, and monitoring. They likely had policies about who could commit code, reviews for sensitive changes, and audit logs tracking repository access. But policies don't prevent unauthorized access—they just document what should have happened before the breach.
What did they not know about their own data?
Trellix didn't know what source code was actually accessible through their repositories. Years of development across McAfee Enterprise and FireEye products, merged codebases, legacy repositories, and development branches accumulate code that spans the entire product portfolio. Some repositories might contain current production code, others hold experimental features, and still others preserve historical implementations.
The merger between McAfee Enterprise and FireEye created Trellix in 2022. That means four years of integrating development environments, consolidating repositories, and managing code from two separate security product lines. In that complexity, understanding exactly what source code exists where—and which repositories contain the most sensitive algorithms—becomes an inventory problem. RansomHouse now has a better map of that codebase than Trellix probably did.
If your environment was compromised today, could you say within 24 hours exactly what sensitive data was accessed?
What does attribution look like the morning after?
RansomHouse announced the breach on May 7. Trellix confirmed it on May 15. That eight-day gap is when customers were running Trellix security tools without knowing that attackers had the source code to those same tools. Every endpoint protected by Trellix, every alert generated, every threat detected during that window happened while adversaries could study exactly how those detections work.
Now comes customer notification. Fifty thousand organizations must decide whether to trust security tools whose source code is in attacker hands. Some will demand emergency patches. Others will ask for technical details about what specific code was exposed. Many will question whether their security stack is still effective. And Trellix faces the impossible task of proving a negative—that their tools still work even though adversaries can read the implementation.
What would have changed the outcome?
Knowing exactly what source code existed in those repositories before attackers accessed them.
If Trellix had inventoried their code repositories—mapped which repositories contained production code versus experimental features, classified which algorithms were most sensitive, understood what proprietary detection logic existed where—they could have prioritized protection for their crown jewels. They could have isolated the most critical source code, implemented stronger access controls on repositories holding detection algorithms, and monitored access patterns to their most valuable IP.
Instead, they learned what was in those repositories from a RansomHouse announcement. For a cybersecurity company protecting 200 million endpoints, that's the fundamental failure: not knowing the contents and sensitivity of your own data until someone else tells you what they took.
Trellix found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.