Europe’s cybersecurity agency, CERT-EU, has attributed a major data breach at the European Commission to a supply chain attack on the open-source security tool Trivy, carried out by the cybercrime group TeamPCP[1][2]. The hackers stole approximately 340 GB of data—including personal information like names, usernames, email addresses, and over 51,992 email-related files—from the Commission’s AWS cloud infrastructure powering websites such as europa.eu, before the notorious ShinyHunters gang leaked it on the dark web on March 28[1][3].
The breach began on March 19, 2026, when the European Commission unknowingly downloaded a compromised version of Trivy through standard software update channels. According to CERT-EU’s official analysis, TeamPCP exploited this supply chain compromise to harvest an AWS API key, granting control over affiliated cloud accounts and enabling reconnaissance with tools like TruffleHog, which scans for additional secrets[2][4]. The European Commission’s Security Operations Center (SOC) detected anomalies—such as misuse of Amazon APIs and unusual network traffic—on March 24, prompting notification to CERT-EU the next day[1][2].
This incident affects data from 42 internal European Commission clients and potentially 29 other EU entities using the shared infrastructure, raising concerns about widespread exposure of personal data from Union websites and user interactions[3][5]. While most stolen files appear to be automated email notifications with minimal content, bounce-back messages could reveal sensitive user-submitted information, posing privacy risks under EU regulations[1]. As reported by TechCrunch and The Next Web, TeamPCP’s role in the initial hack is confirmed, though it remains unclear if they directly handed data to ShinyHunters or if the latter only handled the extortion and leak[cluster:1][cluster:2].
In response, the European Commission swiftly deactivated compromised AWS keys, rotated secrets, and informed the European Data Protection Supervisor as required by Regulation (EU) 2018/1725[4]. CERT-EU has urged all organizations to update Trivy to safe versions, audit deployments, and enhance CI/CD pipeline monitoring to counter the rising threat of supply chain attacks, which this case exemplifies alongside TeamPCP’s strikes on tools like KICS and LiteLLM[2][6]. Affected clients and data protection agencies across the EU have been notified, with ongoing analysis of the leaked datasets likely to uncover further details[5].
The breach underscores vulnerabilities in widely used open-source tools like Trivy, a vulnerability scanner from Aqua Security that ironically aimed to bolster defenses[7]. Aqua Security has publicly linked the compromise to TeamPCP and is aiding remediation efforts. For EU citizens and institutions relying on Commission websites, this means heightened phishing risks from exposed emails, prompting calls for robust vendor risk management and real-time behavioral monitoring in cloud environments[4]. Investigations continue, but no lateral movement to other Commission AWS accounts has been found so far[3].