RansomHouse Claims Responsibility for Trellix Source Code Breach
The RansomHouse cybercrime group has claimed responsibility for a breach of Trellix's source code repository, prompting an ongoing investigation by the cybersecurity firm.

The RansomHouse threat group has claimed responsibility for a security breach involving the source code repository of cybersecurity firm Trellix. The incident, which Trellix first acknowledged on May 1, 2026, involved unauthorized access to a portion of the company’s internal code base. RansomHouse subsequently published screenshots on their dark web extortion portal, which they claim demonstrate access to Trellix's appliance management system BleepingComputer.
According to the threat actors, the intrusion took place on April 17, 2026, and included the encryption of data within the company's network BleepingComputer. While Trellix has confirmed the unauthorized access, the company stated that their ongoing investigation has found no evidence that their source code release or distribution processes were compromised. Furthermore, Trellix maintains that there is currently no indication that any of their source code has been exploited in the wild BleepingComputer.
Trellix, a global cybersecurity provider serving over 53,000 customers across 185 countries, has engaged forensic experts to assist in the investigation and has notified law enforcement authorities BleepingComputer. When asked about the RansomHouse claims, a Trellix spokesperson confirmed the company is aware of the group's assertions and is actively looking into them. At this time, the authenticity of the images leaked by the hackers has not been independently verified BleepingComputer.
RansomHouse, which emerged as a data-extortion operation in 2022, has a history of targeting large corporate entities. The group is known for maintaining a dark web portal where they leak or sell stolen data. Their technical toolkit has evolved to include sophisticated utilities such as 'Mario,' which utilizes a dual-encryption process, and 'MrAgent,' a tool designed to automate the deployment of ransomware across VMware ESXi hypervisors BleepingComputer.
The breach of a major cybersecurity vendor highlights the persistent risks posed by extortion-focused threat actors. As Trellix continues its investigation, the industry remains focused on whether the stolen source code could lead to future vulnerabilities in the company’s security appliances. The incident serves as a reminder of the critical importance of securing internal development environments against sophisticated, data-driven criminal organizations BleepingComputer.