Trivy Supply Chain Attack Leads to European Commission Cloud Breach

The European Union’s Computer Emergency Response Team (CERT-EU) has confirmed that the recent breach of the cloud infrastructure supporting European Commission websites was executed by the hacker group known as ShinyHunters. The breach resulted in the theft and subsequent leak of approximately 340 GB of sensitive data.

Initial analysis of the leaked dataset revealed the presence of personal information, including lists of names, usernames, last names, and email addresses. Most of this data appears to originate from the European Commission’s websites, but it may also include information related to users from various Union entities. Additionally, the dataset comprises at least 51,992 files associated with outbound email communications, totaling around 2.22 GB. While most of these files are automated notifications with minimal content, there are 'bounce-back' notifications that could expose original user-submitted content, heightening the risk of personal data exposure.

Attack Vector Linked to Trivy Supply Chain Compromise

The breach was detected by the European Commission's Security Operations Center (SOC) on March 24, 2026, with CERT-EU being notified shortly thereafter. Investigations revealed that the initial access point occurred on March 19, 2026, facilitated by the misuse of AWS credentials. The attackers targeted the cloud infrastructure while the European Commission was utilizing a compromised version of AquaSec’s Trivy security scanner during the attack. The CERT-EU and the European Commission suspect that the initial access vector was primarily due to the Trivy supply chain compromise.

During the attack, the perpetrators gained access to an AWS API key, which allowed them to control additional AWS accounts belonging to the European Commission. They utilized a tool called TruffleHog to scan for sensitive information and validate AWS credentials by invoking the Security Token Service. Subsequently, they exploited the compromised AWS secret to create and attach a new access key to an existing user, enabling them to perform reconnaissance.

This approach has been recognized by researchers at Wiz and is associated with TeamPCP, the group implicated in recent supply chain attacks involving Trivy, KICS, LiteLLM, and Telnyx. It remains unclear whether the access gained was transferred to ShinyHunters or if ShinyHunters were solely responsible for the extortion component of the attack. The group published the stolen data on their dark web leak site on March 28, 2026.

No Evidence of Lateral Movement Detected

CERT-EU reported that while the threat actors gained management rights for the compromised AWS secrets, which could have facilitated lateral movement to other AWS accounts within the European Commission, there is currently no evidence to suggest that such actions occurred. In response to the breach, the European Commission promptly revoked the compromised account’s permissions to prevent any unauthorized access, and all compromised access keys have been deactivated or deleted.

It is important to note that the europa.eu websites and the services provided by the platform were not affected by this security incident. Authorities within the institutions continue to analyze the leaked databases, and there is a likelihood that further types of compromised data may be discovered. Affected clients utilizing the Europa web hosting service have been notified, along with the relevant data protection agencies across the European Union.

As the investigation proceeds, the European Commission emphasizes the importance of vigilance in cybersecurity and the need for robust measures to protect sensitive information from evolving threats.

Source: Help Net Security News