Source Code Breaches: When Hackers Outpace Security Vendors
8 Min. Read Time
Trellix, Okta, LastPass – three security providers, three source code breaches, one pattern. Attackers are deliberately compromising security providers to discover vulnerabilities in their products before their own customers do. Traditional vendor due diligence is no longer sufficient. Anyone evaluating a SIEM, EDR, or IAM provider today without examining their own security posture merely shifts the risk – they don’t eliminate it.
The Pattern Behind Trellix, Okta, and LastPass
Three breaches, three years, three different vectors – but one common outcome: attackers gained access to security code before the affected providers fully understood what had been exfiltrated. This is no coincidence and not merely operational misfortune.
The LastPass breach (August 2022) began with the compromised developer notebook of a senior developer. Attackers used an unpatched Plex Media Server on the private device as an entry point. From there, they gained access to the LastPass development environment and extracted source code plus environment variables with credentials for cloud resources. Result: Four months later, the production backup vault was compromised.
The Okta breach (October 2023) hit the source code in a GitHub repository. Attackers used a compromised service account token. What was exfiltrated was not the primary authentication core, but code from the customer support system. Nevertheless: Whoever knows the code knows edge cases that developers never fixed for reasons of backward compatibility.
The Trellix incident (2024) follows a similar pattern. Details are not yet fully public, but the attack vector ran through a compromised CI/CD pipeline. The pattern: not the production code, but the build process is the target.
Figures for Context
10 Days
Avg. between vendor compromise and first exploitation (Mandiant M-Trends 2025)
62%
of all breaches, according to Verizon DBIR 2025, had a software supply chain connection
18 Months
Avg. from LastPass breach to full customer communication about the extent
Five New Criteria for Security Vendor Evaluations
These five questions should be included in every Security Vendor RFI before a contract is signed. The answers reveal more than any certificate.
How is your CI/CD pipeline secured against supply chain attacks?
Expected: SLSA-Level 3 or comparable, Signed Commits, Pipeline-as-Code with audit log, no direct production access from developer environments.
How do you isolate developer access to source code from production systems?
Expected: Separate identities for Dev vs. Ops, MFA everywhere, private device policy for senior developers with code access, JIT access for privileged CI operations.
How long does it take from breach detection to initial customer notification?
Expected: Contractual SLA for security incidents, ideally 72 hours. LastPass took 4 months for full disclosure. This is not an acceptable standard.
What permissions does your agent/sensor require in our environment?
Expected: Least-Privilege documented, no “local admin” by default, network segmentation for sensor traffic, signing for all update packages.
Do you have a bug bounty program and what is the average patch time?
Expected: Public bug bounty program, Ø patch time under 30 days for Critical CVEs, CVSSv3 scores for own disclosures. Providers without a public disclosure history are not a good sign.
Pros and Cons: Zero-Trust Architecture for Security Tool Agents
Benefits of Strict Segmentation
Cover Image Source: Pexels / Polina Zimmerman (px:3779082)
