Trivy supply chain attack enabled European Commission cloud breach

CERT-EU confirmed that ShinyHunters are behind the recent breach of the cloud infrastructure underpinning websites of the European Commission, and that they stole and subsequently leaked approximately 340 GB of data.

“Analysis of the published dataset has so far confirmed the presence of personal data, including lists of names, last names, usernames, and email addresses, predominantly from the European Commission’s websites but potentially pertaining to users across multiple Union entities,” European Union’s CERT said.

“The dataset also contains at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, ‘bounce-back’ notifications, which are responses to incoming messages from users, may contain the original user-submitted content, posing a risk of personal data exposure.”

Initial access tied to Trivy supply chain attack

The breach was detected by EC’s SOC on March 24 and CERT-EU was notified on March 25.

Based on the fact that the initial access happened on March 19, 2026, the misuse of AWS credentials, the targeting of cloud infrastructure, and the EC using a compromised version of AquaSec’s Trivy security scanner at the time of the attack, CERT-EU and the EC believe that the initial access vector was the Trivy supply-chain compromise.

The attackers acquired an AWS API key, which granted them control over other EC’s AWS accounts.

Then they used TruffleHog to scan for secrets and validate AWS credentials by calling the Security Token Service, and used the compromised AWS secret to create and attach a new access key to an existing user. Finally, then started reconnaissance.

This modus operandi has also been observed by Wiz researchers and has been tied to TeamPCP, the group linked to the recent Trivy, KICS, LiteLLM and Telnyx supply chain attacks.

Whether the achieved access was then handed off to ShinyHunters or ShinyHunters is only involved in the cyber extortion part of the attack is currently unknown. The group published the stolen data on their dark web leak site on March 28.

No lateral movement detected

“The threat actor obtained management rights for the compromised AWS secret, which could have allowed them to move laterally to other AWS accounts belonging to the European Commission. However, no indication of such movement has been uncovered so far,” CERT-EU noted.

“The European Commission swiftly revoked the compromised account’s rights to block any illegitimate access. All compromised access keys have been deactivated or deleted.”

The europa.eu websites and the services provided by the platform were not affected by the security incident.

The institutions are still analyzing the leaked databases, and it’s possible they will discover other types of data that have been compromised. The affected clients of the Europa web hosting service have been notified and so have the appropriate data protection agencies across the EU.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!