Trivy supply‑chain breach hits EU
What happened
CERT‑EU attributes a Trivy supply‑chain attack to a breach of the European Commission's AWS environment that exfiltrated about 340GB of data. (x.com) The incident is being called a wake‑up for logistics and 3PL firms that rely on open‑source scanning tools and cloud hosts — software supply‑chain risk can translate into operational and reputational exposure. (x.com)
Why it matters
CERT-EU says attackers used a compromised version of Trivy, an open‑source code scanner, to get into an Amazon Web Services account that helps run the European Commission’s europa.eu hosting platform, and copies of stolen files — roughly 340 GB uncompressed — were later posted by the extortion group ShinyHunters. (cert.europa.eu) (securityweek.com) The affected cloud account supported the europa.eu web hosting service for up to 71 clients — 42 internal Commission sites and at least 29 other Union entities — and CERT‑EU’s review found personal data including names, email addresses and email content among the exfiltrated material. (cert.europa.eu) (securityweek.com) CERT‑EU reports the intruders acquired an AWS secret (an API key, which is a digital credential that lets software call the cloud account) on March 19 by targeting Trivy’s official distribution, then used that credential to create new access keys and probe the environment with a tool called TruffleHog (a scanner that searches code repositories for leaked secrets). (cert.europa.eu) (microsoft.com) Technical analysis from Microsoft and Aqua Security shows the campaign involved “tag poisoning” of GitHub Actions (where an attacker replaces trusted release tags in the automation scripts developers use to build and deploy software), which caused organizations that pulled normal updates to unknowingly execute attacker-controlled code inside their continuous integration/continuous delivery pipelines (the automated processes teams use to build and ship software). (microsoft.com) (aquasec.com) CERT‑EU’s numbers show about 91.7 GB of data in the compromised account when compressed and roughly 340 GB when uncompressed, and the Commission first detected unusual Amazon API activity on March 24, notified CERT‑EU on March 25, publicly disclosed the incident on March 27, and the stolen data appeared on March 28. (cert.europa.eu) (securityweek.com) Investigators attribute initial access to a threat actor going by “TeamPCP” while the leak publication is credited to ShinyHunters, and Microsoft notes the same credential‑harvesting techniques were used across other ecosystems and cloud providers (targeting AWS, Google Cloud and Azure credentials as well as Kubernetes and database secrets). (cert.europa.eu) (microsoft.com) Aqua Security says the malicious Trivy release was v0.69.4 and that its commercial (paid) product environments were architecturally separated from the compromised open‑source pipelines, and CERT‑EU’s advisory lists concrete detection and remediation recommendations that the Commission and other affected entities are following. (aquasec.com) (cert.europa.eu)
Key numbers
- CERT‑EU attributes a Trivy supply‑chain attack to a breach of the European Commission's AWS environment that exfiltrated about 340GB of data.
- (x.com) The incident is being called a wake‑up for logistics and 3PL firms that rely on open‑source scanning tools and cloud hosts — software supply‑chain risk can translate into operational and reputational exposure.
Quick answers
What happened in Trivy supply‑chain breach hits EU?
CERT‑EU attributes a Trivy supply‑chain attack to a breach of the European Commission's AWS environment that exfiltrated about 340GB of data. (x.com) The incident is being called a wake‑up for logistics and 3PL firms that rely on open‑source scanning tools and cloud hosts — software supply‑chain risk can translate into operational and reputational exposure. (x.com)
Why does Trivy supply‑chain breach hits EU matter?
CERT-EU says attackers used a compromised version of Trivy, an open‑source code scanner, to get into an Amazon Web Services account that helps run the European Commission’s europa.eu hosting platform, and copies of stolen files — roughly 340 GB uncompressed — were later posted by the extortion group ShinyHunters. (cert.europa.eu) (securityweek.com) The affected cloud account supported the europa.eu web hosting service for up to 71 clients — 42 internal Commission sites and at least 29 other Union entities — and CERT‑EU’s review found personal data including names, email addresses and email content among the exfiltrated material. (cert.europa.eu) (securityweek.com) CERT‑EU reports the intruders acquired an AWS secret (an API key, which is a digital credential that lets software call the cloud account) on March 19 by targeting Trivy’s official distribution, then used that credential to create new access keys and probe the environment with a tool called TruffleHog (a scanner that searches code repositories for leaked secrets). (cert.europa.eu) (microsoft.com) Technical analysis from Microsoft and Aqua Security shows the campaign involved “tag poisoning” of GitHub Actions (where an attacker replaces trusted release tags in the automation scripts developers use to build and deploy software), which caused organizations that pulled normal updates to unknowingly execute attacker-controlled code inside their continuous integration/continuous delivery pipelines (the automated processes teams use to build and ship software). (microsoft.com) (aquasec.com) CERT‑EU’s numbers show about 91.7 GB of data in the compromised account when compressed and roughly 340 GB when uncompressed, and the Commission first detected unusual Amazon API activity on March 24, notified CERT‑EU on March 25, publicly disclosed the incident on March 27, and the stolen data appeared on March 28. (cert.europa.eu) (securityweek.com) Investigators attribute initial access to a threat actor going by “TeamPCP” while the leak publication is credited to ShinyHunters, and Microsoft notes the same credential‑harvesting techniques were used across other ecosystems and cloud providers (targeting AWS, Google Cloud and Azure credentials as well as Kubernetes and database secrets). (cert.europa.eu) (microsoft.com) Aqua Security says the malicious Trivy release was v0.69.4 and that its commercial (paid) product environments were architecturally separated from the compromised open‑source pipelines, and CERT‑EU’s advisory lists concrete detection and remediation recommendations that the Commission and other affected entities are following. (aquasec.com) (cert.europa.eu)
