RansomHouse Claims Trellix Source Code Breach – What You Need to Know

Trellix, a prominent cybersecurity vendor, disclosed on [date] that its internal source‑code repository had been compromised. The intrusion was promptly claimed by the RansomHouse ransomware group, which posted a small set of screenshot images as proof of the breach. The leaked images showed directory listings of the GitLab instance and build‑log excerpts, indicating that the attackers had gained read‑level access to a significant portion of the company's proprietary code.

According to the forensic investigation, the threat actors exploited a critical vulnerability (CVE‑2023‑XXXX) in the Trellix GitLab deployment to obtain a service‑account token with elevated privileges. Using this token, they exfiltrated roughly 2 GB of source code spanning multiple product lines, including the core detection engine and related firmware modules. The attackers also harvested internal commit metadata and a subset of CI/CD pipeline configurations, which could enable future supply‑chain attacks if the code were weaponized.

Trellix confirmed the breach in a public statement, noting that customer data and production systems remained unaffected. The company immediately revoked the compromised credentials, patched the identified flaw, and engaged law‑enforcement agencies and third‑party incident‑response experts. RansomHouse has warned that the full archive will be released on its dark‑web leak site unless a ransom is paid, a typical double‑extortion tactic employed by the group.

Security practitioners are advised to audit their own code‑hosting environments, enforce multi‑factor authentication, apply the latest patches for GitLab and similar platforms, and implement strict least‑privilege access controls. Indicators of compromise (IOCs) such as the malicious OAuth application ID and suspicious Git clone patterns have been shared on the Trellix security portal for community vigilance.