RansomHouse Has Trellix's Source Code. LAPSUS$ Has Checkmarx's. The Security Vendor Industry Is Now The Soft Surface It Sells Defense For.

Trellix confirmed on May 8, 2026 that the ransomware-extortion group RansomHouse compromised the company's source code repositories. The disclosure was accompanied by "proof of intrusion" images RansomHouse posted on their leak site. Checkmarx confirmed on April 28, 2026 that LAPSUS$ stole data from the company's private GitHub repository. Both companies are tier-one cybersecurity vendors. Both vendors sell defensive products explicitly marketed as protection against the exact attack class that hit them. The compression of the timeline — two major security-vendor breaches in ten days, both via repository-tier source code theft — is the receipt that the security vendor industry is now operating inside the same soft surface it sells defense for.

This post is not a dunk on Trellix or Checkmarx. Every organization with a Git repository is exposed to the same attack class. What makes the security-vendor case operationally significant is not the breach mechanics, which are not novel. What makes it significant is the precedent it establishes for the cohort. The defender market has spent a decade building the mental model that consumer-tier and enterprise-tier organizations are the targets, and the security vendors are the wall behind which those organizations shelter. The May 8 + April 28 receipts collapse that mental model. The wall has the same wallpaper as the room it surrounds.

The two breaches in concrete detail

Trellix. McAfee Enterprise + FireEye merger entity. Source code repository compromise confirmed May 8, 2026. RansomHouse claimed the intrusion on their leak site with screenshots presented as proof of access. The attack vector was repository access — not infrastructure-level network compromise, not endpoint-tier exploitation. RansomHouse got into the Git tree and walked out with code. Trellix's response has been measured and limited; the source-code-stolen acknowledgment is on the public record, the downstream-customer impact assessment is in progress.

Checkmarx. Application-security testing vendor whose entire product line is built around finding vulnerabilities in customer code. LAPSUS$ stole data from Checkmarx's private GitHub repository, confirmed April 28, 2026. The Checkmarx case is more uncomfortable because the company's commercial value proposition is "we find code-tier risks for our customers" and the company's own code-tier risk surface produced a breach. The LAPSUS$ operator population has historically focused on extortion via dumped data, source code, and credentials — same shape, different vendor.

The mechanics for both breaches are versions of the same playbook. Get a credential or session that authorizes repository access. Walk the Git history. Exfiltrate the code. Use the code either as direct extortion leverage, as the basis for finding additional vulnerabilities in the vendor's product line, or as a sale item to other operator populations whose downstream interests include finding ways to bypass the vendor's defensive products.

The implication that should not be subtle

Source code from a security vendor's product is the highest-value Git repository class on the open market for operators looking to develop bypasses against that vendor's defensive technology. RansomHouse owning Trellix's source code means RansomHouse can study the detection logic that Trellix products use to identify ransomware. RansomHouse can find the bypass cases that Trellix's QA process did not cover. RansomHouse can sell that bypass intelligence to ransomware affiliates whose entire monetization stack depends on getting past Trellix endpoints.

Checkmarx is the equivalent case for the vulnerability-finding side. LAPSUS$ owning Checkmarx's source code means LAPSUS$ has the detection logic for the static-analysis rules Checkmarx ships. The cohort of operators developing payloads that pass static-analysis QA now has commercial-grade product code to test against. The asymmetry is structural. The bypass research that LAPSUS$ does on the leaked Checkmarx code will compound for the operator population whose entire pipeline depends on shipping code that does not get flagged.

The defender posture downstream of these breaches assumes the bypass research is happening. The vendors will respond with rule updates, signature changes, detection-logic rewrites. The operator population will iterate. The arms race that defines the endpoint-protection and application-security market gets one structural step harder for the defenders because the operators just got open access to the playbook.

The soft-surface-bleed frame, completed across the security vendor tier

We have been writing the soft-surface-bleed frame for two months. The thesis is that the hard perimeter — firewalls, EDR, network appliances — continues to hold while the soft surfaces between trusted systems bleed catastrophically. We named seven vendor surfaces under active exploitation in our May 30 Five Emerging Patterns synthesis: npm publish, GitHub Actions workflows, VS Code Marketplace, VS Code Tunnels, NuGet, Sentry telemetry, Google AI search. The Trellix + Checkmarx receipts add an eighth surface: the security vendor's own source code repository.

The eighth surface is qualitatively different from the first seven because the affected population is the population that sells defense for the first seven. The frame's recursion deepens. Defenders rely on Trellix to detect ransomware. RansomHouse owns Trellix's detection logic source. Defenders rely on Checkmarx to find code-tier vulnerabilities. LAPSUS$ owns Checkmarx's vulnerability-detection logic source. The trust path between the defender-population customer and the security vendor was a soft surface. The soft surface bled in April and May 2026. The defenders downstream get to discover the consequence over the next quarter as bypass research lands in the operator-tier marketplace.

The defender posture that follows

For organizations consuming Trellix or Checkmarx products: assume bypass research against those products is now underway in the operator-tier market. Plan accordingly. Subscribe to the vendor's customer-tier disclosure feed for whatever bypass-mitigation guidance arrives over the next 90–180 days. Layer the vendor's controls with controls from a different vendor's product line so that bypass research against one vendor's leaked code does not collapse your entire defensive posture. This is not theoretical. This is the structural cost of single-vendor dependency in the post-source-code-leak landscape.

For the broader defender market: the operational mental model that the security vendor industry sits outside the threat landscape is no longer operative. The receipts compound. Trellix in May. Checkmarx in April. Other vendors over the next quarters — every endpoint-protection company, every static-analysis company, every cloud-security-posture-management company, every threat-intelligence company that operates a Git repository and authenticates humans into it, is on the same target list. The cohort that gets next is the cohort whose source code most efficiently advances operator-tier bypass research. The pricing is set by which vendor's product is most worth bypassing.

For independent threat-intelligence shops like DugganUSA: the receipts and the source-code-as-target-class is the receipt our shop has been writing toward for months. The cost asymmetry is now visible at the vendor-victim tier. Trellix and Checkmarx have substantially more litigation-and-recovery resources than the customers they sell to. The post-breach response from both vendors will be sophisticated and well-funded. The defenders downstream who consume those vendors' products do not have the same legal-and-recovery firepower available, and they will absorb the bypass-research consequences without similar resources to mitigate.

The asymmetry-inversion frame applies the same way it applies everywhere else this month. The cheapest defender posture beats the most expensive defender brand when the brand's source code is on RansomHouse's leak site. The cheapest defender posture is the one that does not rely on a single vendor's product to define the defensive surface. The cheapest defender posture is the one that consumes public threat-intelligence feeds, cross-correlates against ICIJ and breach databases, and treats the security vendor industry as a population subject to the same threat landscape as the customers the vendors sell to.

The wall has the same wallpaper as the room. The wallpaper is the soft surface. The receipts compound.

The receipts compound

The threat intelligence in this post — and the IOCs, ransomware-group profiles, and source-code-leak monitoring that would flag a Trellix-class or Checkmarx-class breach before the operator population starts shipping bypass research — all ship out through DugganUSA's public STIX 2.1 threat-intelligence feed. Free. No credit card. Machine-consumable. Registration takes thirty seconds at [analytics.dugganusa.com/stix/register](https://analytics.dugganusa.com/stix/register).

Yesterday we documented that customers consuming our feed had visibility on the BlueHammer Microsoft Defender CVE for forty days before Microsoft's MSRC blog officially acknowledged the cluster. The asymmetry inversion is real, it is dated, and it compounds for whoever subscribes. The same predictive-kill-chain pattern will apply to the next security-vendor source-code leak — defenders downstream of our feed will know which bypass research is active before the vendor's customer-tier disclosure cycle catches up.

The cheapest defender posture beats the most expensive defender brand. Subscribe. The receipts compound.

— Patrick Duggan · DugganUSA LLC

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com