Scanner breach exposed EU cloud

The breach started with a tool that was supposed to prevent breaches. In March, attackers slipped malicious code into Trivy, a widely used open-source security scanner, and the European Commission later used that poisoned version inside the AWS environment that helps run the Europa.eu web platform. CERT-EU says the attackers stole an AWS API key on March 19, and that key gave them control over other Commission-linked AWS accounts. The first alarms did not fire until March 24, when the Commission’s security team saw suspicious Amazon API activity and a spike in network traffic (cert.europa.eu, aquasec.com). That detail matters because it changes what this story is about. This was not a brute-force break-in. It was a trust failure inside the software supply chain. Aqua Security says the attackers used compromised credentials to publish malicious Trivy releases and tamper with related GitHub Actions on March 19. Microsoft’s threat researchers describe the result plainly: trusted security tooling was weaponized against the organizations that relied on it. The scanner did its normal job inside CI/CD and cloud workflows. It also quietly stole secrets from the same places it was meant to inspect (aquasec.com, microsoft.com). Once the attackers had the Commission’s AWS secret, they did not smash around at random. CERT-EU says they created and attached a new access key to an existing user, then ran reconnaissance and launched TruffleHog, a secrets-hunting tool, to look for more credentials and validate what they had found. That is the ugly logic of modern cloud attacks. A single key is rarely just a single key. It often sits inside an environment full of automation, cross-account permissions, and service relationships that are hard to map even for the people who built them (cert.europa.eu, csoonline.com). The Commission disclosed the incident publicly on March 27. By then, the attackers had already exfiltrated a large archive. CERT-EU puts the haul at about 91.7 GB compressed, while several reports describe the uncompressed total as roughly 350 GB. The stolen material included names, email addresses, and email content, and it may affect data tied to at least 29 other EU entities that used the same service. On March 28, according to CERT-EU, the extortion group ShinyHunters published the data on its leak site after receiving it from the actor behind the Trivy compromise, which investigators link to TeamPCP (cert.europa.eu, securityweek.com, bleepingcomputer.com). The revealing part is not that the European Commission used a scanner. Everyone does. The revealing part is how much reach that scanner had once it was embedded in a real cloud estate. CERT-EU says it found no evidence of lateral movement into other Commission AWS accounts, but the compromised key still had enough power to expose data across a shared public-web infrastructure serving dozens of institutional clients. The problem was not a missing compliance checkbox. The problem was that a defensive tool sat close enough to production secrets to become an attack path the moment trust in its updates collapsed (cert.europa.eu, csoonline.com). That is why this incident is landing so hard across cloud security. TeamPCP did not invent a new weakness in AWS. It exploited the way modern organizations glue together scanners, CI pipelines, GitHub Actions, secrets, and cloud accounts so that software can move quickly. Palo Alto Networks says the same campaign targeted other trusted developer and security tools, stealing cloud credentials, Kubernetes tokens, database passwords, TLS keys, and SSH keys from victim environments. The Commission case stands out because it shows the consequences in one concrete chain: a poisoned scanner update, one stolen API key, one public web platform, and a dark-web dump posted four days later (unit42.paloaltonetworks.com, cert.europa.eu).