Skip to content
BriefingsRSS · DSI
Series · Part 19 of 53
The Chokepoint Doctrine
When the Shield Becomes the Weapon: What the Trellix Source Code Breach, the Medtronic Attack, and the Pattern They Form Tell Us About the Collapse of the Security Vendor Trust Model
Threat AssessmentMay 25, 202613 min read

When the Shield Becomes the Weapon: What the Trellix Source Code Breach, the Medtronic Attack, and the Pattern They Form Tell Us About the Collapse of the Security Vendor Trust Model

Trellix's source code repository was breached on May 2. Three weeks earlier, Medtronic confirmed a ShinyHunters attack on 9 million patient records. They join Microsoft, Okta, and LastPass on a list that should never exist — the security vendors whose entire commercial proposition is preventing the attacks they cannot prevent on themselves. This briefing maps the structural failure and the four predicted outcomes.

~22 min

Start With a Question

If the company you hired to protect you from hackers just got hacked — what does that mean for you?

It is not a rhetorical question. It is the operational question that 50,000 business and government customers of Trellix — the cybersecurity company formed from the October 2021 merger of McAfee Enterprise and FireEye, protecting more than 200 million endpoints globally — need to be asking this week and cannot fully answer, because Trellix has not told them what they need to know to answer it.

On May 2, 2026, Trellix disclosed that attackers had gained unauthorised access to a portion of its source code repository. On May 7, RansomHouse — a sophisticated extortion group active since December 2021, known for double-extortion attacks targeting high-value sectors including healthcare, manufacturing, and critical infrastructure — claimed responsibility, stating it had accessed not just the source code but the appliance management system used to deploy, configure, update, and monitor Trellix security products in customer environments.

Trellix confirmed it was investigating. It said it had found no evidence that the accessed code had been exploited or altered. It said production systems and customer data were unaffected. It said law enforcement had been notified. What it has not said — and what its customers most urgently need to know — is which specific products were affected, what the dwell time was before detection, and whether the appliance management system access means that threat actors have the ability to influence how Trellix tools behave in customer deployments.

That silence is not a communications failure. It is a signal. And it is the same signal that a different threat actor sent through a different breach at a different company in the same month — and that the pattern of security vendor compromises stretching back through Okta, Microsoft, and LastPass has been sending for three years while the enterprise security industry has treated each incident as an isolated event rather than a systemic finding.

This piece names the systemic finding.

Timeline of major security vendor breaches from August 2022 to May 2026 — LastPass, Okta (twice), Microsoft, Medtronic, and Trellix, showing escalation in scale and structural significance
Four years, six breaches at the layer that was supposed to protect everything else.

The List That Should Never Exist

Trellix now joins a list that includes Microsoft, Okta, and LastPass — security tool manufacturers themselves becoming targets.

That sentence deserves to be read slowly, because the list it describes is the list of organisations whose entire commercial proposition is that they can protect you from the attacks they just failed to prevent on themselves.

Microsoft — whose security products protect the majority of enterprise Windows environments globally — had its source code accessed by the Midnight Blizzard group in January 2024. The attackers used a password spray attack on a legacy test account to access executive email accounts over a period of weeks. The company that sells Microsoft Defender, Microsoft Sentinel, and the security features embedded in every Microsoft 365 subscription was penetrated through a test account that did not have multi-factor authentication enabled.

Okta — whose identity platform is the authentication layer through which tens of thousands of organisations control access to every system they operate — experienced a breach of its support case management system in October 2023, affecting 134 customers. The company whose core product is preventing unauthorised access was accessed without authorisation through its own customer-facing infrastructure. In a subsequent investigation, Okta confirmed that its GitHub repositories containing customer source code had been accessed in December 2022 — a breach that had gone undetected for months.

LastPass — whose password management product holds the master credentials for millions of enterprise and consumer users — suffered a breach in August 2022 in which attackers accessed its development environment and stole source code and proprietary technical information. A second incident in November 2022 used data from the first to access a cloud storage environment containing encrypted customer vault backups. The company whose entire value proposition is securing the keys to every other system was breached twice in four months.

Trellix is the security layer. The question that the list demands is not why these companies were targeted. It is what it means — structurally, operationally, and strategically — that the security layer is now systematically penetrated by the same adversaries it was built to stop.

Comparison table of four major security vendor breaches (Microsoft, Okta, LastPass, Trellix) across threat actor, entry vector, MFA on entry account, what was taken, customer impact scope, detection lag, product-level disclosure, and whether the update channel was compromised
The same architectural failure, four times. Each treated as an isolated incident.

The Medtronic Dimension: When the Patient Is the Downstream Casualty

Three weeks before the Trellix disclosure, a different breach confirmed a different dimension of the same structural failure — and this one has six federal class action lawsuits already filed.

On April 17 and 18, 2026, ShinyHunters listed Medtronic on its Tor-based data leak site, issuing a ransom ultimatum. Medtronic publicly disclosed the breach on April 24, acknowledging unauthorised access to corporate IT systems. The intrusion targeted non-critical corporate networks, sparing patient-facing systems, medical devices, manufacturing, and distribution channels. ShinyHunters claimed to have stolen more than 9 million records containing PII and terabytes of internal corporate data.

Medtronic has since been removed from ShinyHunters' website, indicating that the organisation may have paid a ransom.

The removal from the leak site is the most consequential data point in the entire incident — not because it confirms payment, but because of what payment means in the ShinyHunters operational model. The series has documented ShinyHunters' structural non-compliance with its own payment terms. Multiple organisations that paid ransoms to ShinyHunters subsequently found their data published or resold anyway. If Medtronic paid, the 9 million patient records that ShinyHunters claimed to hold are not necessarily secured. They are held by a criminal group that has demonstrated it will monetise data through multiple channels regardless of whether the immediate extortion demand was satisfied.

Medtronic becomes the latest major medical device manufacturer targeted by cybercriminals in 2026, joining Stryker, Intuitive Surgical, and UFP Technologies in a wave of attacks that highlights the industry's growing vulnerability. As of early 2026, 22 percent of healthcare organisations have experienced at least one cyberattack targeting medical devices, while ransomware attacks on the healthcare sector surged by 30 percent in 2025, with 293 attacks recorded against hospitals and direct care providers.

DSI Advisory

Need intelligence like this on a decision you're facing?

DSI Advisory Services helps boards, business leaders, defence institutions, and security leaders understand threats before they reach the horizon — where cyber, geopolitics, and business risk converge.

Commission a bespoke intelligence productExplore advisory