Trivy Supply Chain Attack - European Commission AWS Breach
Basically, hackers used a compromised tool to steal sensitive data from the European Commission.
A major breach linked to a supply chain attack on the European Commission's AWS has exposed sensitive data. Affected entities include numerous Union organizations. This incident raises significant security concerns and highlights the need for robust protective measures.
What Happened
The European Commission's primary web platform, europa.eu, experienced a severe data breach due to a supply-chain compromise involving the popular open-source vulnerability scanner, Trivy. On April 3, 2026, CERT-EU released an advisory detailing how the threat actor known as TeamPCP exploited a compromised version of Trivy to harvest Amazon Web Services (AWS) API keys. This sophisticated attack resulted in the exfiltration of over 340 GB of uncompressed data, affecting up to 71 clients hosted on the Europa web hosting service.
Who's Affected
The breach has severely impacted 42 internal clients of the European Commission and at least 29 other Union entities. The ShinyHunters extortion group subsequently published the stolen dataset on their dark web leak site, which included sensitive personal data such as names, usernames, and email addresses.
What Data Was Exposed
The leaked dataset contained over 51,000 files related to outbound email communications. Although most files were automated system notifications, researchers noted that many bounce-back messages included original user-submitted content, increasing the risk of personal data exposure. Fortunately, no internal systems were breached, and no websites were defaced or taken offline.
What You Should Do
In response to the attack, CERT-EU recommends that all organizations immediately address the Trivy compromise. Here are critical steps to take:
- Update Trivy to a known-safe version.
- Audit deployments across all environments.
- Rotate all AWS secrets that may have been exposed.
The European Commission has already taken action by deactivating all compromised access keys and notifying the European Data Protection Supervisor (EDPS) as required by Regulation (EU) 2018/1725. Security teams should also restrict CI/CD pipeline access to cloud credentials, applying the strict principle of least privilege to scope permissions appropriately.
Establishing robust vendor risk management protocols and deploying real-time behavioral monitoring for CI/CD environments is essential to prevent future supply-chain attacks. The incident underscores the importance of rapid incident reporting and response, as mandated by the Cybersecurity Regulation (EU) 2023/2841. The European Commission notified CERT-EU within 24 hours of confirming the breach, enabling swift coordination and remediation efforts across the EU.