How a Poisoned Trivy Update Gave Hackers the Keys to the European Commission's AWS

Introduction

A supply chain attack against Trivy — the open-source vulnerability scanner used in thousands of CI/CD pipelines — resulted in the European Commission losing 340 GB of data from its AWS environment. The breach, attributed to a threat actor known as TeamPCP, shows exactly how dangerous a single compromised tool in a pipeline can be.

What Happened

On March 19, 2026, the European Commission's CI/CD pipeline pulled a compromised version of Trivy through normal software update channels. Unbeknownst to the team, Trivy had been backdoored by TeamPCP — a threat actor whose tooling is specifically designed to operate inside CI/CD environments and exfiltrate secrets.

The malicious Trivy version harvested AWS API keys from the Commission's build environment and exfiltrated them via typosquatted domains, GitHub repositories, and Cloudflare tunnels. The attackers then used the stolen key to gain control over multiple AWS accounts affiliated with the Commission.

On the same day, the attackers launched TruffleHog — a secrets-scanning tool — to discover additional credentials and validate access via AWS STS (Security Token Service). To avoid detection, they created and attached a new access key to an existing IAM user rather than creating a new one.

By March 24, the Commission's Cybersecurity Operations Centre (CSOC) detected alerts around abnormal API activity and unusual network traffic. CERT-EU was notified on March 25. The compromised account was revoked and all affected keys were deactivated.

But it was too late. A total of 91.7 GB compressed (340 GB uncompressed) had already been exfiltrated. On March 28, the data extortion group ShinyHunters published the stolen dataset on their dark web leak site. The data covered 71 clients of the Europa web hosting service — 42 European Commission entities and at least 29 other EU bodies — and included names, email addresses, email content, databases, and confidential documents.

Why It Matters

Trivy is not an obscure tool. It is one of the most widely used container and filesystem vulnerability scanners in the DevOps world, integrated into GitLab CI, GitHub Actions, Jenkins, and countless homegrown pipelines. A supply chain compromise of a security tool — something you implicitly trust — is a nightmare scenario precisely because it blends in.

This incident confirms a pattern: attackers are increasingly targeting the tools that defenders use. If your scanner, linter, or build utility is compromised, your secrets are exposed at the exact moment they are most accessible — inside the pipeline.

Who Is Affected

Any organization that was running a compromised version of Trivy between mid-March 2026 and the date it was pulled. Organizations using Trivy in CI/CD environments with access to cloud credentials (AWS, GCP, Azure) are at highest risk. Check your pipeline logs for the affected version window and rotate any credentials that may have been in scope.

How to Protect Yourself

  • Pin your tool versions: instead of pulling latest, pin to a specific digest (aquasec/trivy@sha256:...) so updates only happen when you explicitly approve them
  • Verify checksums: before running any binary in your pipeline, validate its SHA256 hash against the official release
  • Audit what has access to secrets: scan your CI/CD jobs and limit which steps have access to cloud credentials — a scanner doesn't need write permissions
  • Use short-lived credentials: replace long-lived AWS API keys with short-lived role-based credentials using IAM roles or OIDC federation. Stolen keys expire fast
  • Enable CloudTrail and alerting: set up AWS CloudTrail with alerts on IAM key creation, STS GetCallerIdentity calls from unexpected sources, and unusual S3/API activity
  • Run TruffleHog yourself: periodically scan your own repos and CI artifacts for accidentally committed secrets — trufflehog git file://.
  • Check your Trivy version: ensure you are running a clean, verified release from the official Aqua Security repository
  • Implement least privilege: your pipeline should only have access to what it genuinely needs — not the entire AWS account

Source: https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain