A leading US cybersecurity vendor has been breached by threat actors who managed to access its source code, it has been revealed.
Privately held firm Trellix disclosed the incident on May 4, claiming it has notified law enforcement and is working with “leading forensic experts” in order to work out exactly what happened.
“Trellix recently identified unauthorized access to a portion of our source code repository,” it said.
“Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.”
Trellix is the company formed from the merger of McAfee Enterprise and FireEye in 2021 after they were acquired by private equity firm Symphony Technology Group. It sells threat intelligence and AI-powered detection and response services including NDR and EDR, as well as data security and email security.
Access to its source code could give threat actors a major advantage, warned Isaac Evans, found of software security firm Semgrep.
“For security companies, it can provide attackers with a roadmap to where controls live, how detections are written, and where trusted update or build paths may be exposed,” he said.
“This recent pattern of targeting security vendors and software supply chains should have the full attention of defenders. Attackers are not only looking for customer data; they are looking for leverage. If they can understand defensive tooling from the inside, they can turn the software ecosystem itself into a delivery mechanism.”
Links to Supply Chain Attacks
It’s unclear who is responsible for the breach, and Trellix is keeping tight lipped for now, saying only that it will share details once the investigation is complete.
However, several vendors – including Aqua Security and Checkmarx – were compromised recently after a software supply chain attack targeting security scanner Trivy, which exposed countless enterprise secrets.
Google Cloud’s Wiz Security reported at the end of March that the TeamPCP group behind the Trivy campaign may be collaborating with notorious extortion group Lapsus$ to monetize these stolen credentials.
There are also signs that TeamPCP is working with the Vect ransomware group to target Trivy campaign victims.
“Stolen tokens, CI/CD gaps, and overtrusted build workflows can let attackers move from one project to another, harvesting secrets and planting persistence along the way,” said Evans. “Organizations shouldn’t treat code repositories as just a place where code lives and is stored, but something that needs to be protected as attackers continuously find new ways to exploit and manipulate them.”