European Commission Confirms Cloud Breach — Trivy Supply Chain Attack Cascades Into 30+ EU Entities

What Happened

The European Commission has confirmed a significant data breach originating from the TeamPCP supply chain attack we covered earlier this week. CERT-EU published findings on April 3 attributing the intrusion to TeamPCP for the initial access and ShinyHunters for the subsequent data exfiltration and public leak.

The bottom line: the Commission’s CI/CD infrastructure downloaded a poisoned copy of the Trivy vulnerability scanner after the March 19 compromise. That gave TeamPCP an AWS API key, which they used to pivot into the Commission’s cloud accounts and extract approximately 92 GB of compressed data. ShinyHunters then published the dump online after extortion demands went unanswered.

At least 29 additional EU entities beyond the Commission itself may have had data exposed through shared cloud infrastructure.

Attack Chain

The technical sequence follows the same pattern seen in the broader TeamPCP campaign, but the downstream impact here is what makes this significant:

March 19: TeamPCP force-pushes malicious commits to Trivy’s GitHub Action repositories and publishes poisoned binaries to Docker Hub, GHCR, and ECR. The payload — TeamPCP Cloud Stealer — harvests CI/CD secrets from any pipeline that runs the compromised scanner.

March 19–25 (estimated): The European Commission’s infrastructure pulls the compromised Trivy binary as part of routine vulnerability scanning. The Cloud Stealer exfiltrates an AWS API key associated with the Commission’s cloud account.

March 25–31: TeamPCP uses the stolen AWS credentials to access S3 buckets, internal databases, and email archives hosted on Commission infrastructure. Data exfiltration occurs over multiple sessions.

March 31: ShinyHunters — operating in a data broker role alongside TeamPCP — issues extortion demands to the Commission, setting an April 3 deadline.

April 3: CERT-EU publishes its attribution. ShinyHunters begins publishing the 92 GB dataset after no payment is received. The Commission confirms the breach but initially downplays the scope.

What Was Stolen

The leaked dataset includes:

• Personal data of EU staff and external users: names, email addresses, usernames, and organizational metadata, primarily from Europa.eu-connected services
• Email contents from Commission mailboxes hosted on the compromised AWS infrastructure
• Internal documents and configuration data from cloud-hosted services
• Credentials and tokens that may enable further lateral movement into other EU agency systems

CERT-EU has warned that the data pertains not just to Commission employees but potentially to users across multiple EU entities that share backend infrastructure.

Who Is Affected

CERT-EU identified at least 30 entities with potential exposure, including the European Commission itself and potentially the European Medicines Agency (EMA), European Banking Authority (EBA), ENISA (the EU cybersecurity agency), and Frontex. The full scope is still being assessed.

Any organization that exchanged data with the Commission through its Europa.eu platform or shared AWS tenancy should assume potential exposure until notified otherwise.

Why This Matters

This is the most consequential downstream impact yet from the TeamPCP supply chain campaign. A single compromised open-source tool in a CI/CD pipeline led to the breach of a supranational government body and potentially dozens of its agencies. The attack required no zero-days, no phishing of Commission staff, and no exploitation of the Commission’s own code — just a poisoned dependency that the pipeline trusted implicitly.

It also demonstrates the growing operational model of threat actor cooperation: TeamPCP handles the supply chain compromise and initial access, then ShinyHunters monetizes the stolen data through extortion and public leaks. The two groups operating in tandem makes both the technical breach and the post-compromise pressure campaign more effective.

What To Do

If you run Trivy in CI/CD: Verify you are on clean versions. The TeamPCP post has the specific affected versions and remediation steps. Pin GitHub Actions by SHA, not tag.

If you interact with EU Commission systems: Monitor for breach notification from CERT-EU. Assume email addresses and metadata shared with Europa.eu services may be in the leak. Rotate any credentials used in integrations with Commission platforms.

General supply chain hygiene:

• Audit all CI/CD dependencies for pinning strategy (SHA > tag > latest)
• Implement secret scanning on pipeline outputs, not just inputs
• Treat vulnerability scanners with the same suspicion as any other privileged pipeline component — they run with broad access and are high-value targets
• Monitor for stolen credential usage in cloud audit logs (CloudTrail, etc.)

Sources

• CERT-EU attribution and ENISA advisory (via TechCrunch)
• European Commission confirms breach (via BleepingComputer)
• Trivy supply chain connection (via Help Net Security)
• EU cyberattack scope — 90 GB, 30+ entities (via TechRadar)