The attack on the Trellix source code repository disclosed last week has been claimed by the RansomHouse threat group, which leaked a small set of images as proof of the intrusion.
Yesterday, the threat actor published on their data leak site screenshots indicating access to the cybersecurity company’s appliance management system. However, BleepingComputer could not confirm the authenticity of the data.
Trellix is an international cybersecurity firm with global Fortune 100 customers. In 2025, the company had more than 53,000 customers in 185 countries and 3,500 employees.
The company confirmed the breach in a statement on May 1st and said that it was investigating the incident. “Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it,” stated Trellix.
“We have also notified law enforcement. Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.”
At the time, BleepingComputer’s request for details went unanswered, and the company did not disclose any information about the perpetrators.
Following a new request for comments after RansomHouse’s disclosure, Trellix told BleepingComputer that it was “aware of claims of responsibility for the attack and are looking into it.”
According to the threat actor, the intrusion occurred on April 17 and resulted in data encryption.
Trellix listed on the RansomHouse extortion portal
Source: BleepingComputer
RansomHouse is a cybercrime group that launched in 2022 as a data-extortion operation, listing victims on a darkweb portal and leaking or selling data stolen from their corporate networks.
Over time, the threat actor added more advanced encryption utilities to their toolkit, such as ‘Mario,’ which performs a dual-encryption pass with two keys on target files, and ‘MrAgent,’ which automates the deployment of encryptors on VMware ESXi hypervisors.
A recent high-profile case involving RansomHouse was that of Japanese e-commerce giant Askul Corporation, from which the threat group stole 740,000 customer records, among other sensitive information.
Trellix’s investigation is still underway, and the company previously promised to share more details once they become available.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
