CERT-EU says Trivy supply chain attack helped lead to European Commission AWS breach
4 min. read 
Published on
The European Commission’s cloud breach now appears tied to the Trivy supply chain compromise, according to CERT-EU. In a detailed incident write-up, CERT-EU said a compromised version of Trivy gave attackers access to the AWS infrastructure behind the Commission’s europa.eu web platform, which hosts websites and publications for multiple EU bodies.
CERT-EU says the Commission’s Cybersecurity Operations Center detected suspicious Amazon API activity and unusually large outbound traffic on March 24, 2026. The Commission informed CERT-EU on March 25, then disabled the compromised secret and the newly created AWS access keys.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The impact was broad. CERT-EU says attackers exfiltrated about 91.7 GB of compressed data, roughly 340 GB uncompressed, from cloud infrastructure serving 71 clients, including 42 internal European Commission clients and 29 other Union entities.
What CERT-EU and Aqua say happened
Aqua Security said the Trivy incident began on March 19, 2026, when an attacker used compromised credentials to publish malicious releases of Trivy 0.69.4, along with compromised versions of trivy-action and setup-trivy. Aqua said this was part of a broader multi-stage supply chain campaign.
CERT-EU says the European Commission downloaded a compromised Trivy release through normal update channels on March 19. Based on the timing, the AWS credential misuse, and the fact that the Commission was using the malicious Trivy version at the time, CERT-EU and the Commission concluded that the Trivy supply chain attack was the likely initial access vector.
After gaining access, the attackers used the stolen AWS secret to create and attach a new access key to an existing AWS IAM user. CERT-EU says they then performed reconnaissance and data theft in the Commission’s cloud environment, but investigators found no evidence that the attackers moved laterally into other AWS accounts, even though the permissions may have allowed it.
What data was exposed
CERT-EU says the attackers targeted the AWS-backed europa.eu hosting environment rather than internal European Commission systems. The agency and outside reporting both say internal systems were not breached, no websites were defaced, and no service outage occurred.
The leaked data did include sensitive information. CERT-EU says the dump contained names, usernames, and email addresses, along with more than 51,000 files related to outbound email communications. The agency noted that some bounce-back emails contained original user-submitted content, which raises the chance of broader personal data exposure.
ShinyHunters later published the stolen dataset on its leak site, but CERT-EU attributes the intrusion itself to TeamPCP. That distinction matters because one group appears linked to the original access and theft, while another handled the public leak.
Key facts at a glance
| Item | Verified detail |
|---|---|
| Initial access date | March 19, 2026 |
| Detection date | March 24, 2026 |
| Main environment hit | AWS cloud infrastructure supporting europa.eu |
| Likely initial vector | Compromised Trivy release |
| Compressed data stolen | 91.7 GB |
| Estimated uncompressed size | About 340 GB |
| Affected clients | 71 total |
| Internal systems breached? | No evidence reported |
These details come from CERT-EU’s incident report and follow-up coverage based on the same advisory.
What organizations should take from this
CERT-EU says organizations should update Trivy to a known-safe version, audit all deployments that may have used the compromised release, and rotate AWS secrets that may have been exposed during the compromise window. Aqua also urged users to review any CI/CD environment that consumed the malicious packages.
CERT-EU also recommends stronger controls around CI/CD access to cloud credentials. Its guidance includes least-privilege permissions, pinning GitHub Actions to full SHA hashes instead of mutable tags, and enabling AWS CloudTrail to spot suspicious Security Token Service calls or secret-hunting behavior earlier.
The incident also shows why reporting speed matters. CERT-EU says the Commission notified it within 24 hours of confirming the significant incident, which allowed a coordinated response under EU cybersecurity rules and faster notification of affected entities.
FAQ
CERT-EU says the likely initial access vector was a compromised version of Trivy that the Commission downloaded on March 19, 2026.
CERT-EU says no. The breach affected the AWS cloud infrastructure supporting the europa.eu hosting platform, but investigators found no evidence of compromise inside internal systems.
CERT-EU says the attackers exfiltrated about 91.7 GB of compressed data, which expands to roughly 340 GB uncompressed.
CERT-EU says 71 clients were impacted, including 42 internal Commission clients and 29 other Union entities.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages