DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/DARK-WEB
DMZ INTEL DESK//FILED: 2026-05-16//01:15Z
HIGH#dark web

RansomHouse Claims Trellix Source Code Repository Breach; 53,000 Customers Across 185 Countries at Downstream Risk

Cybersecurity vendor Trellix (formed from the McAfee Enterprise/FireEye merger) confirmed in early May that attackers gained unauthorized access to a portion of its source code repository, with RansomHouse claiming responsibility and leaking screenshots purporting to show access to its appliance management system. Trellix states no evidence of source code exploitation or tampering with its release/build pipeline, but has not disclosed which product lines were accessed, the intrusion timeline, or the attack vector; the breach is assessed as potentially linked to a broader TeamPCP-led supply chain campaign that also hit Checkmarx, Aqua Security, and Bitwarden by compromising CI/CD secrets. Defenders running Trellix XDR, EDR, or network security products should treat forthcoming patches with elevated scrutiny and audit agent privileges, as source code access provides adversaries a roadmap to detection logic and bypass opportunities.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
trellix · ransomhouse · source-code-theft · supply-chain · xdr · edr · teampcp · fireye-lineage · dark-web
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
TEAMPCP
CRIMINAL

MORE FROM ARCHIVE

# DARK WEB
2026-05-26
CISA Contractor (Nightwing) Exposed AWS GovCloud Admin Keys and Plaintext Credentials in Public GitHub Repo for Six Months
# DARK WEB
2026-05-25
The Gentlemen RaaS Internal Chats and Backend Data Leaked on Breached Forum — Rare Visibility Into 10% of 2026 Global Ransomware Victims, Affiliate Economics, and EDR-Killer Tooling
# DARK WEB
2026-05-24
Operation Saffron: Europol Seizes First VPN Used by 25+ Ransomware Groups, Captures Full User Database of 5,000+ Criminal Accounts After Covert Traffic Interception
# DARK WEB
2026-05-23
TripleX, CoinbaseCartel, Bashe Post Fresh Victims on Leak Sites — State Bank, Aerospace Avionics, Pharma Manufacturer Hit in 24-Hour Window