European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack

Summary

The European Commission suffered a data breach affecting 300GB of data from its AWS environment after unknowingly deploying a compromised version of Aqua Security's Trivy vulnerability scanner, which was poisoned in a March 19 supply chain attack by the TeamPCP hacking group. Attackers used a stolen AWS API key to gain access, perform reconnaissance, and exfiltrate data from 71 clients including 42 internal EC entities and 29 other EU organizations. The stolen data, primarily containing names, email addresses, and usernames, was later listed for extortion by the ShinyHunters group on its Tor leak site.

Full text

The European Commission (EC) has confirmed that hackers stole over 300GB of data from its AWS environment using an API key compromised in the Trivy supply chain attack. The incident occurred on March 24 and was initially disclosed on March 27, when the EC warned that cloud infrastructure hosting its resources for the Europa.eu platform had been breached. Now, CERT-EU reveals that the hack involved an AWS cloud account that is part of the backend for the Europa.eu hosting service, which supports public websites for the EC and other European Union entities. Hackers gained access to the AWS account using an API key compromised on March 19 in the supply chain attack on Aqua Security’s Trivy vulnerability scanner, carried out by the TeamPCP hacking group. “The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels,” CERT-EU explains. Using the compromised AWS key, the attackers created and attached a new access key to a user account and carried out reconnaissance, according to the EU’s cybersecurity team.Advertisement. Scroll to continue reading. “This key granted control over other AWS accounts affiliated with the European Commission. On the same day, the threat actor attempted to discover additional secrets by launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS),” CERT-EU says. Wiz recently explained that TeamPCP wasted no time validating stolen credentials, launching discovery operations, exfiltrating more data, and attempting lateral movement. “The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities,” CERT-EU notes. On March 28, the infamous ShinyHunters extortion group added the stolen information to its Tor-based leak site. The 340GB of uncompressed data includes personal information such as names, email addresses, and usernames, mainly from the EC’s websites. Users across multiple EU entities were likely affected as well, CERT-EU says. Roughly 2.22GB of the data, or 51,992 files, represents automated notifications, including bounce-back messages containing original user-submitted content, which could include personal information. “The analysis of the databases linked to the hosted websites is underway. Given the volume and intricate nature of the data involved, this process requires a considerable amount of time,” CERT-EU notes. Upon learning of the compromise, the EC revoked the compromised account’s rights, deactivated and rotated the compromised credentials, and notified the relevant data protection bodies. The Commission also confirmed that the incident did not affect its internal systems. Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign Related: T-Mobile Sets the Record Straight on Latest Data Breach Filing Related: 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital Related: Mercor Hit by LiteLLM Supply Chain Attack Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix AttacksUS Charges Uranium Crypto Exchange Hacker Latest News TrueConf Zero-Day Exploited in Asian Government AttacksIn Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by RansomwareCritical ShareFile Flaws Lead to Unauthenticated RCEMobile Attack Surface Expands as Enterprises Lose ControlReact2Shell Exploited in Large-Scale Credential Harvesting CampaignT-Mobile Sets the Record Straight on Latest Data Breach FilingNorth Korean Hackers Drain $285 Million From Drift in 10 SecondsCritical Vulnerability in Claude Code Emerges Days After Source Leak Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — TruffleHog

Entities