Trellix Source Code Breach Highlights Growing Supply Chain Threats

CYBERATTACKS & DATA BREACHES APPLICATION SECURITY CYBER RISK VULNERABILITIES & THREATS NEWS Trellix Source Code Breach Highlights Growing Supply Chain Threats Info is scant, but such breaches can reveal where a security product's controls are located and how detections are designed, giving attackers a leg up. Rob Wright,Senior News Director,Dark Reading May 5, 2026 3 Min Read SOURCE: FRANTIC VIA ALAMY STOCK PHOTO Cybersecurity vendor Trellix published a terse statement last Friday, disclosing that a threat actor recently gained unauthorized access to "a portion of our source code repository." Trellix did not reveal what portion was compromised and provided few details about the breach. "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited," the company said in its statement. "As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete." Trellix said it immediately began working with "leading forensic experts" to investigate the breach and also notified law enforcement. But many questions remain, including where the repository resides, how it was compromised, and who was behind the attack.  Dark Reading contacted Trellix for further comment but the company declined. Related:Instructure Breach Exposes Schools' Vendor Dependence The Trellix breach is the latest supply chain attack impacting the cybersecurity industry. In March, a threat group known as TeamPCP compromised Trivy, an open source scanner maintained by Aqua Security, and KICS, an open source code analysis tool developed by CheckMarx. In both attacks, TeamPCP actors targeted GitHub Actions workflows to push out poisoned versions of the open source tools. At this stage, there's no indication that TeamPCP is connected to the Trellix breach, and no threat actor has claimed credit for the attack. But regardless of who the adversary is, source code breaches for security vendors can carry significant risk for downstream customers. Security Supply Chain Mayhem In the recent TeamPCP attacks, the threat group used the CI/CD secrets obtained in one repository breach to gain access to other organizations' repositories, repeating the cycle several times throughout the ongoing campaign. CI/CD secrets can include credentials, SSH keys, release signing keys, and GitHub Action tokens. TeamPCP isn't the only threat group eyeing security vendors' code; in October 2025, F5 Networks disclosed that a nation-state actor breached its product development environment and obtained sensitive data for the company's flagship BIG-IP product line, including source code. And in 2022, both Okta and Lastpass suffered breaches in which threat actors gained access to product source code.  It's unclear what effects Trellix's breach may have on the company and its customers.  "The risk depends on what the attackers actually got and whether they could touch the build or release process," Raphael Silva, researcher at Aikido Security, tells Dark Reading. "If it was read-only access to part of a repository, the main concern for the downstream customers would be if the same access also included any CI/CD access, signing keys, package publishing credentials, etc. Essentially, the ability to modify what gets shipped to the end users." Related:Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA Fortunately, based on what Trellix has shared so far, there's no indication that the attackers gained that type of access, Silva says.  Still, a source code breach can provide a map of a security product's layout, such as where controls are located and how detections are designed. Such information can give attackers a leg up, says Isaac Evans, founder and CEO of application security vendor Semgrep.  "Even though the breach has been detected, it may not be trivial to remove an attacker's access," Evans adds. "For instance, in the Aqua security [Trivy] breach from earlier this year, the initial defense response still allowed attackers to modify source code after the defenders were alerted." About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS