Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/CERT-EU: Trivy Supply Chain Attack Breached European Commission AWS
CyberSecurity News

CERT-EU: Trivy Supply Chain Attack Breached European Commission AWS

Key Takeaways The European Commission’s main web platform, europa.eu, suffered a significant data breach due to a supply-chain attack targeting the Trivy vulnerability scanner. Threat actor...

Marcus Rodriguez
Marcus Rodriguez
April 3, 2026 5 Min Read
27 0

Key Takeaways

  • The European Commission’s main web platform, europa.eu, suffered a significant data breach due to a supply-chain attack targeting the Trivy vulnerability scanner.
  • Threat actor TeamPCP exploited a compromised Trivy version to steal AWS API keys, leading to the exfiltration of over 340 GB of data affecting 71 European Union entities.
  • The stolen data, including personal information and email communications, was subsequently published by the ShinyHunters extortion group on the dark web.
  • Immediate action is required for organizations using Trivy, including updating to a secure version, rotating AWS secrets, and implementing enhanced CI/CD security measures.

The European Commission’s primary web presence, europa.eu, has confirmed a substantial data breach stemming from a sophisticated supply-chain compromise involving Trivy, a widely used open-source vulnerability scanner.

Table Of Content

  • Key Takeaways
  • Trivy Supply Chain Attack Details
  • What You Should Do

On April 3, 2026, CERT-EU issued an official advisory detailing how a threat actor, identified as TeamPCP, leveraged a compromised continuous integration and continuous delivery (CI/CD) tool to illicitly obtain Amazon Web Services (AWS) API keys.

This advanced attack culminated in the exfiltration of more than 340 GB of uncompressed data, impacting up to 71 clients hosted on the Europa web hosting service.

The notorious extortion group ShinyHunters later released the pilfered dataset on its dark web leak site. In adherence to the Cybersecurity Regulation (EU) 2023/2841, CERT-EU is actively managing the incident response to secure the affected infrastructure and mitigate ongoing risks for impacted Union entities.

The breach originated on March 19, 2026, when the European Commission inadvertently downloaded a compromised version of Trivy through routine software update channels.

Trivy Supply Chain Attack Details

According to cybersecurity firm Aqua Security, TeamPCP specifically designed their malicious code to infiltrate and operate within CI/CD pipelines.

Upon gaining access to the Commission’s environment, TeamPCP successfully acquired an AWS secret that provided management rights over other affiliated cloud accounts. To broaden their access, the attackers promptly deployed TruffleHog, a common tool for scanning secrets.

They utilized TruffleHog to validate AWS credentials by invoking the Security Token Service (STS), which generates temporary security credentials.

To ensure persistent, covert access, the threat actor used the compromised AWS secret to create and attach a new access key to an existing user account before initiating extensive reconnaissance activities.

By March 24, the Commission’s Cybersecurity Operations Center (CSOC) detected unusual network traffic and potential API misuse, prompting an immediate incident response.

The compromised AWS account served as the technical backend for numerous public websites belonging to the European Commission. The threat actor systematically exfiltrated approximately 91.7 GB of compressed data, which expands to roughly 340 GB when uncompressed.

This dataset significantly affected 42 internal clients of the European Commission and at least 29 other Union entities.

On March 28, the prominent data extortion group ShinyHunters claimed responsibility for the leak, publishing the entire dataset on their dark web portal. Initial analysis of the leaked files confirmed the exposure of sensitive personal data, including first names, last names, usernames, and email addresses belonging to users across multiple Union entities.

Additionally, the dump contained over 51,000 files related to outbound email communications. While the majority of these 2.22 GB of files were automated system notifications, investigators noted that “bounce-back” messages frequently contained original user-submitted content, posing a significant risk of deeper personal data exposure. Fortunately, no internal systems were breached, and no websites were defaced or taken offline.

The attackers employed various established MITRE ATT&CK techniques, including Supply Chain Compromise (T1195.002), Cloud Account Compromise (T1586.003), Valid Cloud Accounts (T1078.004), and Data from Local System (T1005).

TeamPCP’s infrastructure heavily relied on typosquatted domains, malicious GitHub repositories, and Cloudflare tunnels to surreptitiously exfiltrate the harvested cloud secrets. Although the attackers possessed the management rights necessary to pivot laterally into other European Commission AWS accounts, investigators found no evidence of such lateral movement.

What You Should Do

  • Update Trivy Immediately: Ensure all deployments of Trivy are updated to a known-safe version.
  • Audit and Rotate AWS Secrets: Conduct a thorough audit of all AWS secrets and credentials that may have been exposed during the vulnerability window, and rotate them without delay.
  • Restrict CI/CD Cloud Access: Implement the principle of least privilege for CI/CD pipeline access to cloud credentials, scoping permissions as narrowly as possible.
  • Pin GitHub Actions: Pin GitHub Actions to full SHA hashes instead of mutable tags to prevent unexpected code changes.
  • Enable AWS CloudTrail Logging: Proactively enable and monitor AWS CloudTrail logs to detect anomalous STS calls or TruffleHog usage early in the kill chain.
  • Enhance Vendor Risk Management: Establish robust protocols for managing third-party vendor risks, especially those involving software supply chains.
  • Deploy Real-time Behavioral Monitoring: Implement real-time behavioral monitoring for CI/CD environments to identify unauthorized secret access and prevent future supply-chain attacks.

In response to the escalating threat of CI/CD pipeline attacks, CERT-EU strongly advises all organizations to immediately address the Trivy compromise.

Security teams must update Trivy to a known-safe version, audit deployments across all environments, and meticulously rotate all AWS secrets that may have been exposed during the vulnerability window.

The European Commission has already set an example by rapidly deactivating all compromised access keys, securing their AWS secrets, and notifying the European Data Protection Supervisor (EDPS) in compliance with Regulation (EU) 2018/1725.

Furthermore, administrators should restrict CI/CD pipeline access to cloud credentials, applying the strict principle of least privilege to scope permissions appropriately.

Pinning GitHub Actions to full SHA hashes rather than mutable tags and proactively enabling AWS CloudTrail logs are critical steps to detect anomalous STS calls or TruffleHog usage early in the kill chain.

Establishing robust vendor risk management protocols and deploying real-time behavioral monitoring for CI/CD environments is now an essential strategy for identifying unauthorized secret access and preventing future supply-chain catastrophes.

The incident response also highlights the critical importance of the legal framework governing these breaches. Under Article 21 of the Cybersecurity Regulation, Union entities are strictly required to report significant incidents to CERT-EU without undue delay, a protocol the European Commission followed by notifying the agency within 24 hours of confirmation.

This rapid information-sharing arrangement enables CERT-EU to coordinate with Member State counterparts, improving collective detection and accelerating the remediation process across the continent.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityExploitSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

North Korean Hackers Compromise Axios npm Package in Supply Chain Attack

Next Post

React2Shell Vulnerability Exploited to Compromise 700+ Next.js Hosts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us