Trellix Confirms Source Code Breach After Unauthorized Repository Access

Trellix has officially acknowledged a security incident in which an unauthorized party gained access to a portion of its source code repositories. The company said it identified the compromise "recently" after abnormal activity was detected in its internal Git infrastructure. According to the statement, the breach was limited to a handful of private repositories that contained proprietary firmware and security scanning modules.

The attackers reportedly used compromised developer credentials to infiltrate the private code host, bypassing multi-factor authentication through a credential-stuffing technique. Forensic investigators found evidence that the intruders cloned the affected repositories, potentially exposing internal build scripts, proprietary algorithms, and signed binary components. While Trellix emphasized that no customer data or production systems were directly accessed, the exposure of source code raises concerns about the integrity of future software updates.

Trellix immediately rotated all exposed credentials, revoked active API tokens, and launched an investigation with a leading third-party forensic firm. The company has also notified relevant regulators and is working to assess the full scope of the leak. As a precaution, Trellix is requiring all internal developers to re-enroll hardware tokens and is implementing additional monitoring on its CI/CD pipelines to detect any future anomalous code movements.

The breach underscores the growing risk that supply-chain attacks pose to the cybersecurity industry. Customers and partners are advised to verify the authenticity of any software they receive from Trellix, apply the latest firmware updates, and monitor for indicators of compromise associated with the exposed code. Trellix says it will provide further guidance as its investigation progresses.