Last month’s European Commission cloud breach – and the later leak of 350 GB of stolen data by ShinyHunters – are now tied to the TeamPCP hacker group and the recent Trivy supply-chain attack, according to CERT-EU.

Europe’s cyber defense agency published a new report on Thursday, revealing fresh details about the March 19th breach of the European Commission’s AWS cloud environment, which hosts the EC’s public website platform, europa.eu.

“The European Commission and CERT-EU have assessed with high confidence that the initial access vector was the Trivy supply-chain compromise, publicly attributed to TeamPCP by Aqua Security,” Thursday’s blog post said.

The report notes that the European Commission was “unwittingly” using a compromised version of Trivy, which it received “through normal software update channels.”

The Trivy compromise involved a malicious software update that let attackers harvest secrets from CI/CD environments, hitting multiple organizations beyond the Commission.

“The latest European Commission update has turned what first looked like a contained cloud credential incident into confirmed exfiltration at scale and a wider set of downstream victims," says Nick Tausek, Lead Security Automation Architect at Swimlane.

Tausek points out that the breach is no longer about a vague claim of stolen data, “but rather tens of thousands of files with exposure spanning multiple EU entities and a broader pool of web-hosting clients tied to the same environment.”

How TeamPCP got in

A spokesperson for Amazon Web Services (AWS) had reiterated to Cybernews at the time that the breach itself was not caused by a compromise of AWS systems.

Turns out, the CERT-EU investigation confirms Amazon’s denial, and says the threat actor responsible – now identified as TeamPCP – was able to acquire an AWS secret, or API key, on March 19 through the Trivy supply chain compromise.

This secret key granted TeamPCP control over other AWS accounts affiliated with the European Commission, the report says.

On the same day, TeamPCP was found attempting to steal more AWS secrets by "launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS),” CERT-EU said.

STS is an AWS service that generates short-lived security credentials for accessing AWS resources and verifying identities, it added.

Using that AWS secret, the threat actor then created and attached a new access key to an existing user in an apparent effort to avoid detection and carry out reconnaissance.

What data the hackers took

Upon discovering the intrusion, the Commission revoked and blocked access to the compromised account, while also deactivating any compromised access keys – but not before exfiltrating about 91.7 GB of compressed data, the cyber agency said.

The “significant volume of data” stolen from the AWS account was said to include names, email addresses, and email content, with CERT-EU warning that “data pertaining to at least 29 other Union entities” may have also been affected.

While all this was happening, the notorious extortionists, ShinyHunters, published about 350GB of the stolen account data on its dark leak blog – claiming to TechCrunch on Friday that they had stolen “some of the data previously taken by TeamPCP.”

Security researchers verifying the data said the leak included emails and attachments, a full SSO user directory, DKIM signing keys, AWS configuration snapshots, NextCloud and Athena data, and internal admin URLs.

Tausek says once sensitive data has been exposed, “the danger is not limited to what was ‘taken,’ but what can be convincingly reused.”

“Access to original submissions or identifiers, along with threat actors using AI to supercharge modern social engineering attacks, has made spearphishing, impersonation, and targeted account takeover attempts dramatically easier,” Tausek explains.

He says the real shift in the CERT-EU update “is the confirmation of reach and the quality of the material attackers can now use to move from theft to influence and access.”

CERT-EU says it is currently analyzing the ShinyHunters data dump, including another 2.22 GB containing 51,992 files related to outbound email communications, which could expose more information about those users.

What organizations should do

CERT-EU says the Trivy supply chain compromise coincides with the initially observed March 19th intrusion targeting the EC’s AWS credentials and cloud infrastructure.

It also notes that TeamPCP's tooling “is designed to operate within CI/CD pipelines and exfiltrates harvested secrets via multiple channels, including typosquatted domains, GitHub repositories, and Cloudflare tunnels.”

CERT-EU says at-risk organizations should take immediate measures to harden systems.

• Update to a known-safe version as identified by Aqua Security.
• Audit and rotate all AWS secrets and credentials that may have been exposed to Trivy during the compromise window.
• Audit Trivy versions deployed across all environments, including CI/CD pipelines.
• Pin all GitHub Actions to full SHA hashes rather than mutable tags.
• Search CI/CD logs and environments for exfiltration artefacts associated with TeamPCP (e.g., connections to typosquatted domains, unexpected Cloudflare tunnel activity).

Beyond the immediate response, CERT-EU says organizations should tighten access to cloud credentials inside CI/CD pipelines and make sure permissions are limited to only what is necessary.

The agency also recommends stronger vendor risk checks around third-party CI/CD tools, including verifying update signatures and keeping closer watch on critical dependencies.

Longer term, defenders should build stronger behavioral monitoring and real-time alerts to catch unusual secret access, suspicious outbound connections, and abnormal API activity before another supply-chain compromise spirals.

CERT-EU also warns that organizations affected by the leaked data should watch for follow-on phishing and social engineering attempts using exposed names, email addresses, and message content.

A full list of CERT-EU’s recommended mitigation and hardening steps is available in the report.

---

Unlock more exclusive Cybernews content on YouTube.