CERT-EU Confirms Trivy Supply Chain Attack Led to European Commission AWS Breach

The European Commission’s primary web platform, “europa.eu,” recently suffered a severe data breach stemming from a supply-chain compromise involving the popular open-source vulnerability scanner, Trivy.

On April 3, 2026, CERT-EU published an official advisory detailing how a threat actor known as TeamPCP exploited the compromised continuous integration and continuous delivery (CI/CD) tool to harvest Amazon Web Services (AWS) API keys.

This highly sophisticated attack ultimately led to the exfiltration of more than 340 GB of uncompressed data, severely impacting up to 71 clients hosted on the Europa web hosting service.

The extortion group ShinyHunters subsequently published the stolen dataset on its dark web leak site. In accordance with the Cybersecurity Regulation (EU) 2023/2841, CERT-EU is actively coordinating the incident response to secure the infrastructure and mitigate further risks across affected Union entities.

The breach traces back to March 19, 2026, when the European Commission unknowingly downloaded a compromised version of Trivy through normal software update channels.

Trivy Supply Chain Attack Led to Compromise

According to threat intelligence firm Aqua Security, the threat actor TeamPCP specifically engineered their malicious code to operate within and infiltrate CI/CD pipelines.

Once inside the Commission’s environment, TeamPCP successfully acquired an AWS secret with management rights over other affiliated cloud accounts. To maximize their reach, the attackers immediately deployed TruffleHog, a widely used tool for scanning for secrets.

They leveraged TruffleHog to validate AWS credentials by calling the Security Token Service (STS), which generates short-lived security credentials.

To maintain persistent, undetected access, the threat actor used the compromised AWS secret to create and attach a new access key to an existing user account before initiating extensive reconnaissance.

By March 24, the Commission’s Cybersecurity Operations Center (CSOC) detected anomalous network traffic and potential API misuse, triggering an immediate incident response.

The compromised AWS account formed the technical backend for multiple public websites belonging to the European Commission. The threat actor systematically exfiltrated approximately 91.7 GB of compressed data, translating to roughly 340 GB when uncompressed.

This dataset heavily impacted 42 internal clients of the European Commission and at least 29 other Union entities.

On March 28, the notorious data extortion group ShinyHunters claimed responsibility for the leak, publishing the entire dataset on their dark web portal. Preliminary analysis of the leaked files confirmed the exposure of sensitive personal data, including first names, last names, usernames, and email addresses from users across multiple Union entities.

Furthermore, the dump contained over 51,000 files related to outbound email communications. While the majority of these 2.22 GB of files were automated system notifications, researchers noted that “bounce-back” messages frequently contained the original user-submitted content, creating a significant risk of deeper personal data exposure. Fortunately, no internal systems were breached, and no websites were defaced or taken offline.

The attackers employed a variety of established MITRE ATT&CK techniques, notably Supply Chain Compromise (T1195.002), Cloud Account Compromise (T1586.003), Valid Cloud Accounts (T1078.004), and Data from Local System (T1005).

TeamPCPs’ infrastructure heavily relied on typosquatted domains, malicious GitHub repositories, and Cloudflare tunnels to covertly exfiltrate the harvested cloud secrets. While the attackers possessed the management rights necessary to pivot laterally into other European Commission AWS accounts, investigators have found no evidence that such lateral movement occurred.

In response to the growing threat of CI/CD pipeline attacks, CERT-EU strongly recommends that all organizations immediately address the Trivy compromise.

Security teams must update Trivy to a known-safe version, audit deployments across all environments, and meticulously rotate all AWS secrets that may have been exposed during the vulnerability window.

The European Commission has already led by example, rapidly deactivating all compromised access keys, securing their AWS secrets, and notifying the European Data Protection Supervisor (EDPS) in compliance with Regulation (EU) 2018/1725.

Furthermore, administrators should restrict CI/CD pipeline access to cloud credentials, applying the strict principle of least privilege to scope permissions appropriately.

Pinning GitHub Actions to full SHA hashes rather than mutable tags and proactively enabling AWS CloudTrail logs are critical steps to detect anomalous STS calls or TruffleHog usage early in the kill chain.

Establishing robust vendor risk management protocols and deploying real-time behavioral monitoring for CI/CD environments is now an essential strategy for identifying unauthorized secret access and preventing future supply-chain catastrophes.

The incident response also highlights the critical importance of the legal framework governing these breaches. Under Article 21 of the Cybersecurity Regulation, Union entities are strictly required to report significant incidents to CERT-EU without undue delay, a protocol the European Commission followed by notifying the agency within 24 hours of confirmation.

This rapid information-sharing arrangement enables CERT-EU to coordinate with Member State counterparts, improving collective detection and accelerating the remediation process across the continent.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CERT-EU Confirms Trivy Supply Chain Attack Led to European Commission AWS Breach appeared first on Cyber Security News.