← Back
European Commision Breach Ironically Via Trivy Supply Chain Attack
Policy
Security
Technology
Strategy
International
🛡️
CVE Intelligence
Loading CVE data...
European Commision Breach Ironically Via Trivy Supply Chain Attack
How a Security Scanner Breached the Institution Writing Europe’s Cybersecurity Laws
On April 2, 2026, CERT-EU published a detailed advisory confirming that the European Commission’s cloud infrastructure had been breached through a supply chain compromise. The attack exploited a poisoned version of Trivy, a widely trusted open-source vulnerability scanner, to steal AWS credentials from the Commission’s CI/CD pipelines. Five days passed before anyone noticed.
The data extortion group ShinyHunters — the same group behind the Odido breach that exposed 6.2 million Dutch citizens — published 91.7 GB of compressed data on their dark web leak site on March 28. The archive contained emails, an SSO user directory, AWS configuration snapshots, DKIM signing keys, and data from the EU’s military financing mechanism.
This article breaks down how the attack worked, why the stolen DKIM keys are the most dangerous component, and what the breach reveals about the gap between regulatory ambition and operational discipline.
The Attack Chain
The initial compromise did not target the Commission directly. It targeted the Commission’s tools.
On March 19, a threat actor tracked as TeamPCP used previously compromised credentials to publish a malicious Trivy release (v0.69.4). They force-pushed 76 of 77 version tags in the aquasecurity/trivy-action
GitHub repository to credential-stealing malware, and replaced all 7 tags in aquasecurity/setup-trivy
with malicious commits. The attack was assigned CVE-2026-33634 with a CVSS score of 9.4 (Critical) and was added to CISA's Known Exploited Vulnerabilities catalog.
The malicious code executed inside CI/CD pipeline runners — the automated environments where organisations run security scans on their code before deployment. It dumped the Runner.Worker
process memory via /proc/<pid>/mem
, swept over 50 filesystem paths for credentials (AWS, GCP, Azure, SSH keys, database passwords, Kubernetes tokens), encrypted the haul with AES-256-CBC and RSA-4096 hybrid encryption, and transmitted it to an attacker-controlled server at scan.aquasecurtiy.org
- a typosquatted domain mimicking Aqua Security's legitimate infrastructure.
If the primary exfiltration channel failed, the malware had a fallback: it created a public repository called tpcp-docs
on the victim's own GitHub account and uploaded the stolen credentials as a release asset.
The European Commission was running the compromised Trivy version in its automated pipelines during the exposure window. The malware harvested AWS API keys with management rights over Commission cloud accounts.
From there, the attacker followed a familiar playbook. They used the stolen AWS key to create a new access key on an existing user account — a technique designed to survive credential rotation. They launched TruffleHog, a secrets-scanning tool, to discover additional credentials. Then they began extracting data.
CERT-EU’s timeline shows five days between initial access (March 19) and detection (March 24), when the Commission’s Security Operations Centre flagged anomalous API usage and an abnormal spike in outbound traffic. The compromised keys were revoked on March 25. By then, 340 GB of data had already left the building.
What Was Taken
The exfiltrated data came from the AWS environment hosting the Europa.eu web platform — the digital infrastructure serving the European Commission, Parliament, Council, and dozens of other EU bodies.
CERT-EU confirmed the breach affected 71 clients of the Europa hosting service: 42 internal Commission departments and at least 29 other Union entities. The dataset included:
51,992 email-related files (2.22 GB of outbound communications). CERT-EU notes that while most are automated notifications, bounce-back messages may contain original user-submitted content — meaning personal correspondence sent to EU institutions may be in the archive.
An SSO user directory and AWS configuration snapshots. This provides a complete architectural map of the Commission’s cloud environment and trust relationships — useful for anyone planning a follow-up attack.
DKIM signing keys for Europa.eu domains. This is the most technically dangerous component of the leak, and it deserves its own section.
Data from Athena, the EU’s mechanism for financing common costs of military operations under the Common Security and Defence Policy. ComplexDiscovery confirmed the presence of Athena-related data alongside NextCloud collaboration files and administrative URLs, citing analysis by the International Cyber Digest.
Why the DKIM Keys Are the Real Problem
DKIM (DomainKeys Identified Mail) is a cryptographic email authentication protocol. When the Commission sends an email, its mail server signs the message with a private key. The receiving server checks that signature against a public key published in DNS. If the signature matches, the email passes DKIM verification — and by extension, DMARC alignment. The message is treated as authentic.
With the private DKIM signing keys, anyone can forge emails that cryptographically verify as originating from Europa.eu domains. These forgeries will pass DMARC, pass SPF alignment, and land in inboxes without triggering spam filters or authentication warnings.
The implications are concrete. A forged email appearing to come from a Commission official could instruct a member state ministry to redirect a payment. It could request that a defence contractor update logistics coordinates. It could deliver malware in an attachment that the recipient has no reason to distrust, because every technical authentication check confirms the sender is real.
“DKIM signing keys and AWS config snapshots in the same breach is catastrophic,” noted security commentator z3n. “With DKIM keys, ShinyHunters can forge emails that pass authentication from EU Commission domains — perfect for spear-phishing EU member states.”
Get privacyinsightsolutions.com’s stories in your inbox
Join Medium for free to get updates from this writer.
This risk persists until the Commission rotates all affected keys and propagates global DNS updates to invalidate the stolen signatures. Every organisation that receives email from Europa.eu addresses should treat inbound messages with elevated scrutiny until that rotation is confirmed. We mapped how credential exposure enables exactly this kind of downstream exploitation in our corporate credential leak assessment.
If your organisation exchanges correspondence with EU institutions or operates cloud infrastructure with third-party CI/CD dependencies, a Corporate Audit maps your full exposure surface.
The Regulatory Irony
The timing is difficult to ignore.
On January 15, 2026 — two months before the breach — the European Commission published proposals for the Cybersecurity Act 2 (CSA2) alongside targeted amendments to the NIS2 Directive. These proposals mandate strict supply chain risk management protocols for organisations operating across the EU. The EDPB and EDPS issued a joint opinion supporting the strengthened framework.
The same Commission was simultaneously advancing the Digital Omnibus Package, which proposes narrowing the legal definition of “personal data” under GDPR — a move the EDPB and EDPS publicly urged legislators to reject, arguing it would weaken fundamental protections.
Then the institution drafting Europe’s supply chain security laws was breached through a supply chain attack. The institution proposing to narrow GDPR protections had 52,000 email files and employee personal data published on a dark web leak site.
This is not an abstract policy failure. The Commission enforces GDPR against private enterprises with fines reaching into the billions. Under GDPR Article 32, data controllers must implement “appropriate technical and organisational measures” to ensure security proportionate to the risk. Pinning CI/CD dependencies to immutable commit hashes rather than mutable version tags — the specific control that would have prevented this breach — is not an exotic defensive technique. It is documented by GitHub, recommended by CISA, and considered baseline practice by organisations that take supply chain security seriously.
As ComplexDiscovery observed: “The question is not whether EU institutions have the right policies on paper — but whether the cloud credentials protecting the architecture of European governance are managed with the same rigour that the Commission demands of others.”
The ShinyHunters Question
ShinyHunters published the Commission’s data but did not carry out the initial intrusion. CERT-EU attributes initial access to TeamPCP via the Trivy compromise. The SANS Internet Storm Center noted that the relationship between ShinyHunters and TeamPCP remains “unclear” — the credentials may have been sold, shared, or transferred through underground broker networks.
What is clear is the scale. Mandiant estimates that over 1,000 SaaS environments were affected by the broader TeamPCP campaign, with approximately 500,000 machines compromised across all victims. The Commission is the highest-profile governmental target, but it is not the only one.
ShinyHunters’ operational pattern — which we profiled in our threat group analysis — has historically centred on financial extortion. They steal personal data and threaten to publish it, transferring regulatory and reputational risk to the corporate victim. The Commission breach appears to be an exception: no ransom demand has been publicly reported. Whether that reflects a strategic choice, a proxy operation, or simply a calculation that extorting a sovereign institution is impractical remains an open question.
The group’s track record in Europe includes the Odido breach (6.2 million Dutch citizens) and the corporate attack surface exposure patterns we have documented extensively. Their method of monetising stolen personal data — not proprietary code, not trade secrets, but the immutable identity information of individuals — is what makes them particularly dangerous. Dates of birth, passport numbers, and IBANs cannot be rotated like passwords.
Defensive Takeaways
For organisations running CI/CD pipelines with third-party dependencies — which is nearly all of them — the Commission breach offers specific, actionable lessons:
Pin GitHub Actions to full SHA commit hashes. Mutable version tags ( v1
, v2
, latest
) can be force-pushed to malicious commits, which is exactly what happened. Immutable SHA references prevent this. CERT-EU, CISA, and GitHub all recommend this as standard practice.
Scope CI/CD credentials to minimum required permissions. The compromised Trivy action ran with access to AWS management keys. If pipeline credentials had been scoped to read-only scanning permissions, the attacker would have harvested keys that could not create new access keys or exfiltrate data.
Rotate credentials after any supply chain incident. Not selectively — comprehensively. The original TeamPCP compromise began in late February. The Commission’s non-atomic credential rotation left a window that the March 19 attack exploited.
Monitor for anomalous API usage in cloud environments. The Commission’s SOC detected the breach through abnormal API calls and traffic spikes. Organisations without equivalent monitoring would not have caught it at all.
Search for tpcp-docs
repositories in your GitHub organisation. The presence of such a repository indicates the fallback exfiltration mechanism was triggered and secrets were stolen.
For organisations that have already experienced a breach or suspect credential exposure, a structured response within the first 72 hours is critical. Our corporate breach response checklist covers the essential steps for both EU and US jurisdictions.
What This Means for Executives
The Commission breach is a supply chain attack. The next one might be too. But the downstream consequences — stolen personal data, forged emails, identity exposure — land on individuals.
If your organisation’s CI/CD pipelines were running Trivy during the March 19–20 exposure window, your AWS credentials may be in the same pool that was used to breach the European Commission. The CISA KEV remediation deadline is April 9.
If your organisation exchanges correspondence with EU institutions, your communications may be in the published archive. And if your executives’ personal data — home addresses, credential pairs, family relationships — is accessible through the same data broker and breach database infrastructure that attackers use for reconnaissance before targeted attacks, the question is not whether that data will be used. It is when.
Originally published at https://privacyinsightsolutions.com on April 7, 2026.
How a Security Scanner Breached the Institution Writing Europe’s Cybersecurity Laws
On April 2, 2026, CERT-EU published a detailed advisory confirming that the European Commission’s cloud infrastructure had been breached through a supply chain compromise. The attack exploited a poisoned version of Trivy, a widely trusted open-source vulnerability scanner, to steal AWS credentials from the Commission’s CI/CD pipelines. Five days passed before anyone noticed.
The data extortion group ShinyHunters — the same group behind the Odido breach that exposed 6.2 million Dutch citizens — published 91.7 GB of compressed data on their dark web leak site on March 28. The archive contained emails, an SSO user directory, AWS configuration snapshots, DKIM signing keys, and data from the EU’s military financing mechanism.
This article breaks down how the attack worked, why the stolen DKIM keys are the most dangerous component, and what the breach reveals about the gap between regulatory ambition and operational discipline.
The Attack Chain
The initial compromise did not target the Commission directly. It targeted the Commission’s tools.
On March 19, a threat actor tracked as TeamPCP used previously compromised credentials to publish a malicious Trivy release (v0.69.4). They force-pushed 76 of 77 version tags in the aquasecurity/trivy-action
GitHub repository to credential-stealing malware, and replaced all 7 tags in aquasecurity/setup-trivy
with malicious commits. The attack was assigned CVE-2026-33634 with a CVSS score of 9.4 (Critical) and was added to CISA's Known Exploited Vulnerabilities catalog.
The malicious code executed inside CI/CD pipeline runners — the automated environments where organisations run security scans on their code before deployment. It dumped the Runner.Worker
process memory via /proc/<pid>/mem
, swept over 50 filesystem paths for credentials (AWS, GCP, Azure, SSH keys, database passwords, Kubernetes tokens), encrypted the haul with AES-256-CBC and RSA-4096 hybrid encryption, and transmitted it to an attacker-controlled server at scan.aquasecurtiy.org
- a typosquatted domain mimicking Aqua Security's legitimate infrastructure.
If the primary exfiltration channel failed, the malware had a fallback: it created a public repository called tpcp-docs
on the victim's own GitHub account and uploaded the stolen credentials as a release asset.
The European Commission was running the compromised Trivy version in its automated pipelines during the exposure window. The malware harvested AWS API keys with management rights over Commission cloud accounts.
From there, the attacker followed a familiar playbook. They used the stolen AWS key to create a new access key on an existing user account — a technique designed to survive credential rotation. They launched TruffleHog, a secrets-scanning tool, to discover additional credentials. Then they began extracting data.
CERT-EU’s timeline shows five days between initial access (March 19) and detection (March 24), when the Commission’s Security Operations Centre flagged anomalous API usage and an abnormal spike in outbound traffic. The compromised keys were revoked on March 25. By then, 340 GB of data had already left the building.
What Was Taken
The exfiltrated data came from the AWS environment hosting the Europa.eu web platform — the digital infrastructure serving the European Commission, Parliament, Council, and dozens of other EU bodies.
CERT-EU confirmed the breach affected 71 clients of the Europa hosting service: 42 internal Commission departments and at least 29 other Union entities. The dataset included:
51,992 email-related files (2.22 GB of outbound communications). CERT-EU notes that while most are automated notifications, bounce-back messages may contain original user-submitted content — meaning personal correspondence sent to EU institutions may be in the archive.
An SSO user directory and AWS configuration snapshots. This provides a complete architectural map of the Commission’s cloud environment and trust relationships — useful for anyone planning a follow-up attack.
DKIM signing keys for Europa.eu domains. This is the most technically dangerous component of the leak, and it deserves its own section.
Data from Athena, the EU’s mechanism for financing common costs of military operations under the Common Security and Defence Policy. ComplexDiscovery confirmed the presence of Athena-related data alongside NextCloud collaboration files and administrative URLs, citing analysis by the International Cyber Digest.
Why the DKIM Keys Are the Real Problem
DKIM (DomainKeys Identified Mail) is a cryptographic email authentication protocol. When the Commission sends an email, its mail server signs the message with a private key. The receiving server checks that signature against a public key published in DNS. If the signature matches, the email passes DKIM verification — and by extension, DMARC alignment. The message is treated as authentic.
With the private DKIM signing keys, anyone can forge emails that cryptographically verify as originating from Europa.eu domains. These forgeries will pass DMARC, pass SPF alignment, and land in inboxes without triggering spam filters or authentication warnings.
The implications are concrete. A forged email appearing to come from a Commission official could instruct a member state ministry to redirect a payment. It could request that a defence contractor update logistics coordinates. It could deliver malware in an attachment that the recipient has no reason to distrust, because every technical authentication check confirms the sender is real.
“DKIM signing keys and AWS config snapshots in the same breach is catastrophic,” noted security commentator z3n. “With DKIM keys, ShinyHunters can forge emails that pass authentication from EU Commission domains — perfect for spear-phishing EU member states.”
Get privacyinsightsolutions.com’s stories in your inbox
Join Medium for free to get updates from this writer.
This risk persists until the Commission rotates all affected keys and propagates global DNS updates to invalidate the stolen signatures. Every organisation that receives email from Europa.eu addresses should treat inbound messages with elevated scrutiny until that rotation is confirmed. We mapped how credential exposure enables exactly this kind of downstream exploitation in our corporate credential leak assessment.
If your organisation exchanges correspondence with EU institutions or operates cloud infrastructure with third-party CI/CD dependencies, a Corporate Audit maps your full exposure surface.
The Regulatory Irony
The timing is difficult to ignore.
On January 15, 2026 — two months before the breach — the European Commission published proposals for the Cybersecurity Act 2 (CSA2) alongside targeted amendments to the NIS2 Directive. These proposals mandate strict supply chain risk management protocols for organisations operating across the EU. The EDPB and EDPS issued a joint opinion supporting the strengthened framework.
The same Commission was simultaneously advancing the Digital Omnibus Package, which proposes narrowing the legal definition of “personal data” under GDPR — a move the EDPB and EDPS publicly urged legislators to reject, arguing it would weaken fundamental protections.
Then the institution drafting Europe’s supply chain security laws was breached through a supply chain attack. The institution proposing to narrow GDPR protections had 52,000 email files and employee personal data published on a dark web leak site.
This is not an abstract policy failure. The Commission enforces GDPR against private enterprises with fines reaching into the billions. Under GDPR Article 32, data controllers must implement “appropriate technical and organisational measures” to ensure security proportionate to the risk. Pinning CI/CD dependencies to immutable commit hashes rather than mutable version tags — the specific control that would have prevented this breach — is not an exotic defensive technique. It is documented by GitHub, recommended by CISA, and considered baseline practice by organisations that take supply chain security seriously.
As ComplexDiscovery observed: “The question is not whether EU institutions have the right policies on paper — but whether the cloud credentials protecting the architecture of European governance are managed with the same rigour that the Commission demands of others.”
The ShinyHunters Question
ShinyHunters published the Commission’s data but did not carry out the initial intrusion. CERT-EU attributes initial access to TeamPCP via the Trivy compromise. The SANS Internet Storm Center noted that the relationship between ShinyHunters and TeamPCP remains “unclear” — the credentials may have been sold, shared, or transferred through underground broker networks.
What is clear is the scale. Mandiant estimates that over 1,000 SaaS environments were affected by the broader TeamPCP campaign, with approximately 500,000 machines compromised across all victims. The Commission is the highest-profile governmental target, but it is not the only one.
ShinyHunters’ operational pattern — which we profiled in our threat group analysis — has historically centred on financial extortion. They steal personal data and threaten to publish it, transferring regulatory and reputational risk to the corporate victim. The Commission breach appears to be an exception: no ransom demand has been publicly reported. Whether that reflects a strategic choice, a proxy operation, or simply a calculation that extorting a sovereign institution is impractical remains an open question.
The group’s track record in Europe includes the Odido breach (6.2 million Dutch citizens) and the corporate attack surface exposure patterns we have documented extensively. Their method of monetising stolen personal data — not proprietary code, not trade secrets, but the immutable identity information of individuals — is what makes them particularly dangerous. Dates of birth, passport numbers, and IBANs cannot be rotated like passwords.
Defensive Takeaways
For organisations running CI/CD pipelines with third-party dependencies — which is nearly all of them — the Commission breach offers specific, actionable lessons:
Pin GitHub Actions to full SHA commit hashes. Mutable version tags ( v1
, v2
, latest
) can be force-pushed to malicious commits, which is exactly what happened. Immutable SHA references prevent this. CERT-EU, CISA, and GitHub all recommend this as standard practice.
Scope CI/CD credentials to minimum required permissions. The compromised Trivy action ran with access to AWS management keys. If pipeline credentials had been scoped to read-only scanning permissions, the attacker would have harvested keys that could not create new access keys or exfiltrate data.
Rotate credentials after any supply chain incident. Not selectively — comprehensively. The original TeamPCP compromise began in late February. The Commission’s non-atomic credential rotation left a window that the March 19 attack exploited.
Monitor for anomalous API usage in cloud environments. The Commission’s SOC detected the breach through abnormal API calls and traffic spikes. Organisations without equivalent monitoring would not have caught it at all.
Search for tpcp-docs
repositories in your GitHub organisation. The presence of such a repository indicates the fallback exfiltration mechanism was triggered and secrets were stolen.
For organisations that have already experienced a breach or suspect credential exposure, a structured response within the first 72 hours is critical. Our corporate breach response checklist covers the essential steps for both EU and US jurisdictions.
What This Means for Executives
The Commission breach is a supply chain attack. The next one might be too. But the downstream consequences — stolen personal data, forged emails, identity exposure — land on individuals.
If your organisation’s CI/CD pipelines were running Trivy during the March 19–20 exposure window, your AWS credentials may be in the same pool that was used to breach the European Commission. The CISA KEV remediation deadline is April 9.
If your organisation exchanges correspondence with EU institutions, your communications may be in the published archive. And if your executives’ personal data — home addresses, credential pairs, family relationships — is accessible through the same data broker and breach database infrastructure that attackers use for reconnaissance before targeted attacks, the question is not whether that data will be used. It is when.
Originally published at https://privacyinsightsolutions.com on April 7, 2026.