Trellix Confirms Source Code Breach, Says No Exploitation Detected

Trellix, formed in 2022 from the merger of McAfee Enterprise and FireEye, disclosed that it "recently identified" unauthorized access to a segment of its source code. Internal security telemetry flagged anomalous activity, prompting the engagement of leading forensic experts and notification of law enforcement. The firm emphasized that its investigation so far shows no indication that the accessed code was altered or used to compromise its security products.

- The breach granted attackers read‑only access to a subset of Trellix’s source code repository; no customer data or build systems were reportedly exposed. - Trellix stated there are currently no signs of exploitation, tampering, or disruption to its source code release or distribution processes. - The identity of the threat actors and the duration of their presence remain undisclosed, limiting public insight into the attack vector. - Based on typical patterns, the intrusion likely involved supply‑chain techniques such as exploiting compromised credentials (MITRE ATT&CK T1078.003) or abusing trusted development tools (T1195.002).

For defenders, the incident underscores the need to harden source‑code environments even when the organization itself is a security vendor. Recommended actions include: - Enforcing multi‑factor authentication and least‑privilege access for all Git and CI/CD platforms. - Monitoring for anomalous Git operations (e.g., unexpected pushes, credential reuse) using detection rules aligned with MITRE ATT&CK T1059.004 (Command‑Line Interface) and T1070.004 (File Deletion). - Implementing signed commits and verified build pipelines to detect unauthorized code changes. - Maintaining an up‑to‑date software bill of materials (SBOM) to quickly assess any potential impact from compromised dependencies.