Trellix hackers may have accessed far more than source code, researchers warn

Published: 8 May 2026
Last updated: 11 May 2026
Trellix targetted by ransomware gang
Data sample. Screenshot by Cybernews

Cybersecurity giant Trellix has been breached, with a ransomware gang leaking screenshots of its internal infrastructure. Researchers say the attackers may have accessed critical VMware, Rubrik, and Dell EMC systems, raising fears that the incident goes far beyond source code exposure.

The ransomware gang operating under the name Ransom House has recently targeted Trellix, a global cybersecurity company formed from the October 2021 merger of McAfee Enterprise and FireEye.

The implications of the breach may be serious, as the company provides services to over 50,000 business and government customers worldwide, protecting more than 200 million endpoints. This means that any compromise involving internal systems could ripple far beyond the company itself.

ADVERTISEMENT

Trellix confirmed a cyber incident with an official statement on Monday. According to claims, the company is now investigating the incident with the help of outside forensic experts.

trellix
Data sample. Screenshot by Cybernews

“Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” the company stated.

Trellix added that only “a portion of our source code repository” appears to have been impacted.

However, Cybernews researchers who reviewed material published by the attackers say the breach may extend far deeper than source code alone.

Internal infrastructure screenshots exposed

Ransom House published seven screenshots allegedly taken from Trellix’s internal environment. Cybernews researchers examined the images and identified dashboards linked to several enterprise infrastructure platforms, including:

  • VMware vSphere
  • Rubrik
  • Dell EMC
ADVERTISEMENT

These tools are commonly used to manage the company’s data storage, IT infrastructure, and virtual machines running on its servers.

According to our researchers, the screenshots suggest the attackers may have accessed broader operational infrastructure rather than isolated development repositories.

“These earlier-mentioned internal systems handle way more than just the source code of a launched product,” they noted.

“Regardless, the impact of this incident can extend to companies that use Trellix products, because these product databases could've been affected as well.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The presence of virtualization and storage management consoles is particularly concerning because these environments often provide visibility into a large portion of an organization’s infrastructure.

In some cases, they may also contain backups, credentials, system configurations, internal documentation, or customer-related operational data.

“The company should rotate all compromised credentials used to access these systems, rotate to the latest safe database backups if needed, and they should transparently state which systems have been affected,” our researchers advised.

Heading

Trellix told Cybernews that the company is aware that Ransom House has claimed responsibility for the attack and notified law enforcement. According to the statement, the investigation is still ongoing.

"Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete," the spokesperson said.

ADVERTISEMENT

Who is Ransom House?

The gang was first caught on the radar in December 2021. According to Cybernews’s dark web tracker Ransomlooker, the gang has since listed 177 other victims on its leak site.

According to a joint advisory by US cyber authorities in 2024, Iranian actors were identified as collaborating directly with ransomware affiliates to facilitate encryption operations in exchange for a percentage of ransom payments. Ransom House is one of the players identified by the authorities.

The gang has claimed multiple high-profile breaches.

For example, an attack on a major Barcelona hospital disrupted healthcare operations, resulting in the cancellation of thousands of medical appointments and forcing emergency patient redirections.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Ransom House reportedly demanded approximately $4.5 million in ransom. The Catalan government refused to pay, and the group subsequently published the stolen patient data.

Ransom House also claimed to have breached Oettinger, one of Germany's largest breweries and one of the top 25 breweries worldwide, alleging it held a trove of sensitive internal documents dating from 2022 to 2025.

Last year, Ransom House listed Italian textile giant Fulgar, supplier to H&M and Adidas, on its dark web leak site. Leaked data samples included spreadsheets with bank account balances, communications with government institutions, and invoices.

Updated on May 11th [16:40 p.m. GMT+2] with a statement from Trellix.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT