Your Security Scanner Is Now an Attack Vector: The EU AWS Breach Explained
Your Security Scanner Is Now an Attack Vector
The European Commission AWS Breach: Full Timeline, Attack Chain, and 12-Step Hardening ChecklistThe European Commission's AWS environment was breached not through a direct attack on AWS, but through a poisoned version of Trivy, the open-source security scanner running inside their own CI/CD pipeline. One stolen API key cascaded into 340GB of data from 71 EU institutions landing on the dark web. Detection took five days. This is not an exotic zero-day. It is a supply chain compromise through tooling that most cloud teams trust completely.
What Is Trivy and Why Did It Matter
Trivy is one of the most widely adopted open-source vulnerability scanners in cloud-native engineering. Developed and maintained by Aqua Security, it scans container images, filesystems, IaC configs, and Git repositories for known CVEs and misconfigurations. It integrates directly into CI/CD pipelines including GitHub Actions and is trusted precisely because it sits inside your security posture, not outside it.
That trust is the attack surface.
TeamPCP (also tracked as DeadCatx3 and ShellForce) identified this. Rather than attacking cloud accounts directly, they compromised the tool that cloud accounts trust. The European Commission downloaded the poisoned version through a normal software update. Nothing in the update process raised an alert.
Trivy runs with elevated access by design. It needs to read your container images, your secrets configuration, your IaC. Compromising a widely-adopted scanner means every organisation that performs a routine update becomes a target simultaneously. Targeting popularity is the supply chain attacker's core strategy.
Full Breach Timeline
| Date / Time | Event | Significance |
|---|---|---|
| Late Feb 2026 | TeamPCP breaches Trivy's GitHub repository. Incomplete credential rotation leaves residual access to a hijacked aqua-bot service account. |
Root cause established |
| 19 Mar 2026 17:43 UTC |
TeamPCP force-pushes malicious code to 76 of 77 version tags in the trivy-action repo. Trivy v0.69.4 is poisoned and served via normal update channels. |
Weapon deployed |
| 19 Mar 2026 | European Commission downloads the compromised Trivy version through a routine software update. A single AWS API key is exfiltrated via typosquatted domains, GitHub repos, and Cloudflare tunnels. | Initial access achieved |
| 19 Mar 2026 | Attackers launch TruffleHog inside the environment, scanning for additional secrets and validating AWS credentials via Security Token Service (STS) calls. | Reconnaissance begins |
| 19 Mar 2026 | A new IAM access key is created and attached to an existing user to establish persistence while blending into legitimate account activity. | Persistence established |
| 19–24 Mar 2026 | Silent exfiltration across AWS accounts spanning 42 internal EC clients and at least 29 other EU entities. Five full days pass with no detection. | Silent exfiltration |
| 24 Mar 2026 | EC Cybersecurity Operations Centre receives alerts: abnormal Amazon API usage, potential account compromise, and an unusual spike in network traffic. | Detection (5 days late) |
| 25 Mar 2026 | CERT-EU notified by the European Commission under Article 21 of Regulation (EU, Euratom) 2023/2841. Incident response activated. | IR activated |
| 27 Mar 2026 | European Commission publicly discloses the incident. Compromised access keys are revoked. EDPS notified under Regulation (EU) 2018/1725. | Public disclosure |
| 28 Mar 2026 | ShinyHunters publishes 91.7GB compressed (340GB uncompressed) of stolen data on their Tor-based dark web leak site. Dataset confirmed by CERT-EU. | Data goes public |
| 3 Apr 2026 | CERT-EU publishes full technical advisory officially attributing the breach to TeamPCP via the Trivy supply chain compromise. ShinyHunters confirmed for publication and extortion. | Official attribution |
Attack Chain: Technical Breakdown
TeamPCP did not attack the European Commission directly. They attacked Aqua Security's Trivy project first, months earlier. Using a hijacked aqua-bot service account, they exploited incomplete credential rotation following an earlier Trivy GitHub repository breach and force-pushed malicious code across 76 of 77 version tags in the trivy-action repository.
The poisoned tool was engineered to operate inside CI/CD pipelines without triggering alerts. Exfiltration used multiple channels: typosquatted domains, GitHub repositories, and Cloudflare tunnels, all blending into normal pipeline egress traffic.
When the EC ran the compromised Trivy scanner on 19 March, the malicious code executed inside the pipeline and harvested an AWS API key. One key. That is all it took.
The key granted control over multiple AWS accounts because of overly broad IAM permissions attached to credentials used in CI/CD workflows. This is the single most common misconfiguration in cloud-native security programmes.
With the initial key, attackers launched TruffleHog to discover and validate additional AWS credentials via Security Token Service (STS) calls. They then created and attached a new access key to an existing IAM user, maintaining persistence while mimicking legitimate account management activity.
Over five days, attackers exfiltrated data from AWS accounts spanning 42 internal EC clients and at least 29 other EU entities. The stolen dataset included:
- 340GB uncompressed (91.7GB compressed)
- 51,992 email files totalling 2.22GB including bounce-back messages with user-submitted content
- Full SSO user directory
- DKIM signing keys (usable for spoofing EU institutional email domains)
- AWS configuration snapshots
- NextCloud and Athena data, including EU military financing documents
- Internal admin URLs
ShinyHunters, a separate criminal syndicate responsible for breaches at Ticketmaster, AT&T, and 60+ other organisations, obtained the data from TeamPCP and published the complete dataset on their dark web leak site on 28 March. The dual attribution (one group to breach, another to monetise) signals a growing specialisation economy within the criminal ecosystem.
MITRE ATT&CK Techniques Used
| ID | Technique | How It Was Applied |
|---|---|---|
| T1195.002 | Supply Chain Compromise | Poisoned Trivy release delivered malicious code into EC's CI/CD pipeline via normal update channels |
| T1586.003 | Cloud Account Compromise | Stolen AWS API key used to access and control multiple EC AWS accounts simultaneously |
| T1078.004 | Valid Cloud Accounts | New IAM access key attached to existing user for persistent, legitimate-looking access |
| T1530 | Data from Cloud Storage | Data exfiltrated from S3 and related services across 71 EU entity accounts over five days |
| T1552.001 | Credentials in Files | TruffleHog deployed inside the compromised environment to scan for additional secrets |
Why the Impact Is Worse Than the Numbers Suggest
The raw numbers are significant: 340GB, 71 institutions, 52,000 emails. The strategic impact goes deeper.
DKIM Key Exposure
Attackers now hold DKIM signing keys for EU Commission domains. These keys allow forged emails that pass authentication checks, enabling highly convincing spear-phishing campaigns impersonating EU institutions. That threat does not expire when the incident closes.
AWS Configuration Snapshots
Infrastructure configuration data reveals the Commission's cloud architecture: account structures, VPC layouts, IAM policies, and service configurations. This is reconnaissance data for future attacks, now permanently on the dark web.
Military Financing Data
The dataset includes Athena data, the EU mechanism for common financing of military operations. This dimension goes far beyond standard personal data exposure and raises questions that go well beyond a standard IR playbook.
The GDPR Irony
The European Commission wrote GDPR. It enforces GDPR. It has issued enforcement actions to organisations that failed to protect personal data. The Commission is now a subject of the exact framework it administers, and has formally notified the European Data Protection Supervisor under Regulation (EU) 2018/1725.
The EU Cyber Resilience Act (CRA) takes effect in 2027 and is designed to address exactly this class of supply chain attack. The European Commission, the body drafting and enforcing it, just became a documented case study of the risk it is legislating against. Expect this to accelerate both the CRA implementation timeline and the sovereign cloud debate across EU member states.
Hardening Checklist: What to Do Right Now
Immediate actions if you run Trivy or any third-party tool in your CI/CD pipeline.
| # | Action | Priority | Done? / Notes |
|---|---|---|---|
| 1 | Update Trivy to a known-safe versionCheck Aqua Security's advisory for confirmed safe versions. Remove all cached compromised versions from pipeline agents and base images. | Critical | |
| 2 | Rotate all AWS credentials touched by TrivyRotate every key Trivy had access to during 19–24 March. Do not limit rotation to keys you think were affected. Rotate all of them. | Critical | |
| 3 | Run TruffleHog on your own repositories nowFind exposed secrets before anyone else does. Integrate as a non-bypassable pipeline gate. | Critical | |
| 4 | Pin all GitHub Actions to full commit SHA hashesNever reference a mutable tag like @v3. Use full SHA: e.g. aquasecurity/trivy-action@d2a392a. Mutable tags are the attack surface. |
High | |
| 5 | Apply least privilege to all CI/CD pipeline credentialsPipeline credentials must have the minimum IAM permissions needed for that specific pipeline only. Never share credentials across pipelines or accounts. | High | |
| 6 | Enable AWS CloudTrail in all accounts and regionsMonitor for abnormal STS:AssumeRole calls, CreateAccessKey actions outside IaC, and unexpected cross-account activity. |
High | |
| 7 | Add secrets scanning as a pipeline gateIntegrate TruffleHog or GitLeaks as a required step that fails the build on detection. | High | |
| 8 | Audit all third-party tools running in your pipelinesList every external action, scanner, or integration. Verify the source, version pinning, and update mechanism for each one. | High | |
| 9 | Set up STS anomaly alertingAlert on: new access keys created outside IaC, IAM policy attachments from unexpected sources, and STS calls from unexpected source IPs or user agents. | High | |
| 10 | Verify open-source tool integrity with checksumsWhere SHA pinning is not available, verify downloads against published checksums and cross-reference release signatures. | Medium | |
| 11 | Implement network egress filtering on pipeline agentsAllowlist expected egress targets. Cloudflare tunnels and typosquatted domains should be unreachable from pipeline agents. | Medium | |
| 12 | Review your incident detection SLAFive days from compromise to detection is not production-grade. Anomalous API volumes and cross-account activity should trigger within hours, not days. | Medium |
Strategic Takeaways for Cloud Security Leads
Traditional security models extend implicit trust to tools that are themselves part of your security posture. Scanners, linters, and CI/CD integrations run with elevated access by design. TeamPCP's strategy is to weaponise that trust. The more widely adopted the tool, the more valuable the supply chain target. Trivy's popularity made it worth attacking. This will happen again with other tools.
1. Your security tooling IS your attack surface
Stop treating scanners and pipeline tools as outside the threat model. They run inside your environment, with your credentials, against your infrastructure. They need the same level of scrutiny as your application code: version pinning, integrity verification, and change control.
2. Shared pipeline credentials are a blast radius problem, not a cost saving
The EC breach cascaded because a single API key had access to multiple accounts. This is an IAM design failure, not an AWS failure. Each pipeline, each environment, and each service should hold its own scoped credential with a deliberately limited blast radius.
3. Five-day detection windows are indefensible at this scale
CloudTrail, GuardDuty, and custom EventBridge rules can detect this pattern within minutes. If you cannot detect abnormal STS calls or unexpected cross-account activity within hours, your monitoring coverage is not production-grade. The technology is not the constraint. Priority is.
4. The dual-attribution model signals an industrialised criminal economy
TeamPCP breached. ShinyHunters leaked. Two separate groups coordinated through what appears to be a data marketplace arrangement. This is division of labour in a criminal industry. Specialisation reduces the skill bar for each actor and increases overall throughput. Expect this structure to become standard.
5. The EU Cyber Resilience Act just got its defining case study
The CRA takes effect in 2027 and is designed to address exactly this class of supply chain attack. The European Commission, the body drafting and enforcing it, just became a documented example of the risk it is legislating against. Expect this to accelerate both the implementation timeline and the sovereign cloud debate across EU member states.
Vibe Coding: Build Cloud Infrastructure at the Speed of Thought
Want to build cloud infrastructure security into your engineering workflow from the ground up, including AI-assisted threat modelling, IaC security patterns, and pipeline hardening? Check out the book. Link in the first comment below.
Sources
- CERT-EU Official Advisory, April 3, 2026 — cert.europa.eu
- Help Net Security: Trivy supply chain attack enabled European Commission cloud breach
- The Next Web: European Commission breached after hackers poisoned Trivy
- TechCrunch: Europe's cyber agency blames hacking gangs for massive data breach and leak
- SecurityWeek: European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack
- CybersecurityNews: CERT-EU Confirms Trivy Supply Chain Attack Led to European Commission AWS Breach
- CyberNews: European Commission breach tied to TeamPCP after 350GB ShinyHunters leak
- State of Surveillance: The EU's Own Security Scanner Was the Attack Vector
Vibe Coding book: https://amzn.eu/d/0hif2Nt3