Hackers breached the European Commission by poisoning the security tool it used to protect itself

April 4, 2026 164news66 Clock

Hackers Breach European Commission via Poisoned Open-Source Tool Trivy

Skip to content

Toggle Navigation

News

  • Events

    • TNW Conference
      • June 19 & 20, 2025

  • Spaces

  • Programs

    • Newsletters
    • Partner with us
    • Jobs
    • Contact

European Commission Data Breach: The Details

April 4, 2026 – 1:45 pm

CERT-EU has attributed a major data breach at the European Commission to cybercrime group TeamPCP, which exploited a supply chain attack on the open-source security tool Trivy to steal approximately 92 GB of compressed data from the Commission’s AWS infrastructure. The compromised data, subsequently published by ShinyHunters gang, included emails and personal details from up to 71 clients across EU institutions.

This breach highlights the vulnerabilities within the open-source software supply chain that underpins security tools relied upon by governments worldwide.

The Attack:

The attack initiated on March 19 when the European Commission downloaded a compromised version of Trivy, an extensively used open-source vulnerability scanner developed by Aqua Security. TeamPCP had previously exploited an incomplete credential rotation following a breach of Trivy‘s GitHub repository, allowing them to force-push malicious code to most version tags in the trivy-action repository.

The malware harvested an AWS API key, granting attackers access to the Commission’s cloud account on Amazon Web Services (AWS).

Subsequent steps included:

  • Reconnaissance: Using TruffleHog, a cloud credential scanning tool, the attackers searched for additional secrets.

  • Persistence: They created a new access key and attached it to an existing user to evade detection before enumerating IAM users, roles, EC2 instances, Lambda functions, RDS databases, S3 buckets, and Route 53 hosted zones.

  • Exfiltration: The focus was on ECS clusters, mapping task definitions for direct container access and bulk exfiltration from AWS Secrets Manager.

The Impact:

The European Commission’s Cybersecurity Operations Centre detected the anomaly on March 24, five days after initial compromise, through alerts of potential API misuse and abnormal network traffic.