European Commission Suffers 300GB Data Breach via Trivy Supply Chain Attack

On March 19, 2026, the European Commission unknowingly downloaded a compromised version of Trivy, a widely-used open-source vulnerability scanner maintained by Aqua Security. The cybercrime group TeamPCP (also tracked as DeadCatx3, PCPcat, and ShellForce) exploited incomplete credential rotation following an earlier breach of Trivy's GitHub repository, force-pushing malicious code to 76 of 77 version tags in the trivy-action repository.

When the Commission's automated security pipeline pulled the poisoned update, malware harvested an AWS API key, granting attackers access to the Commission's cloud environment. Attackers then performed systematic reconnaissance including credential scanning with TruffleHog, IAM enumeration, and bulk exfiltration from AWS Secrets Manager.

Data Stolen: Over 300GB (approximately 340GB uncompressed) including personal information (names, usernames, email addresses), approximately 51,992 files of outbound email communications, and data from websites hosted for up to 71 clients of the Europa.eu web hosting service.

Affected Entities: 42 internal European Commission clients and at least 29 other EU entities, potentially including the European Medicines Agency, European Banking Authority, ENISA, and Frontex.

The Commission's SOC detected anomalous activity on March 24 (five days after compromise). CERT-EU was notified March 25, public disclosure occurred March 27, and ShinyHunters published the stolen data on March 28.

Recommended Actions: Organizations using trivy-action in CI/CD pipelines should audit their pipeline configurations and rotate any credentials that may have been exposed. Review AWS CloudTrail logs for unauthorized API activity. Implement integrity verification for all third-party security tools used in automated pipelines.