Inside the EU Commission Breach: The Role of Compromised Credentials in the Trivy Supply Chain Attack

In March of 2026, threat actors used a compromised version of the Trivy vulnerability scanner to access the European Commission’s cloud infrastructure — the administrative backbone that supports policy coordination, sensitive citizen and member-state data, and dozens of EU institutions across 27 countries.

A single stolen AWS API key enabled attackers to create new credentials, scan for secrets, and exfiltrate over 300GB of uncompressed data from multiple Union entities.

The breach reflects a broader shift in attacker behavior. As organizations depend more heavily on cloud identities and supply chain software, adversaries are turning one trusted credential into access across many systems, accelerating the speed and scale of compromise.

How the European Commission Was Exposed via the Trivy Compromise

Starting in February 2026, threat actors known as TeamPCP  (also tracked as DeadCatx3, PCPcat, ShellForce, and CipherForce) compromised Aqua Security’s Trivy scanner by exploiting an AWS API key exposed in a software update.

On March 19, they pushed a malicious release containing a credential-harvesting script through official channels. Though live for only three hours, the update was automatically installed by thousands of organizations – including the European Commission.  

This allowed the threat actors to steal, among other things, cloud credentials across as many as 10,000 downstream victims, PII information of both staff and citizens interacting with certain portals, and financial and operational data related to the EU’s sensitive military financing framework contained within the Athena Mechanism — the EU’s framework for financing military operations.

Furthermore, the breach exposed detailed architectural maps and configuration snapshots of the Commission's entire AWS environment. These documents, which detail trust relationships, Virtual Private Cloud (VPC) layouts, security group rules, and IAM roles, create a comprehensive blueprint for any threat actor planning a follow-up attack against EU infrastructure.

How Attackers Used Stolen Credentials to Access the European Commission’s Cloud

Once inside, threat actors created additional access keys tied to existing user accounts, expanding their reach while blending into normal identity activity. Because these new keys were associated with identities the environment trusted, their usage appeared consistent with routine operations and did not trigger permission-based alerts.

From there, attackers searched connected systems for other credentials, configuration files, and secrets that could provide broader access. This phase of the intrusion was methodical, targeting systems and services that shared identity infrastructure or relied on the same cloud accounts.

As the attackers accumulated more credentials, they were able to move laterally across multiple cloud environments with minimal resistance. Each additional key obtained extended their access into another system, allowing attackers to pivot without encountering new authentication barriers. The attackers also extracted a complete Single Sign-On (SSO) directory of personnel authorized to access the platform, providing the attackers with a highly curated target list for future social engineering, spear-phishing, or credential stuffing attacks against EU officials.

By the Numbers: The Scale of the European Commission Data Breach

How to Prevent Your Next Supply Chain Breach by Exposing Credential Misuse

Cloud systems rely on a mix of human and non-human identities across accounts, services, and tools, and many of these identities operate continuously and automatically as part of routine workflows.

Because these identities are embedded in automation and distributed across multiple services, they often accumulate broad, persistent access that’s rarely reviewed once established. Traditional access controls focus on what an identity is allowed to do — not how it behaves in practice — creating blind spots when credentials are misused or repurposed by attackers. Furthermore, many tools track only human user identities, overlooking the growing amount of  activity generated by non-human identities and devices that are not connected to a specific user. This leaves gaps that adversaries can exploit for lateral movement, privilege escalation, and undetected data access.

When defenders rely solely on static permission reviews, they gain an incomplete picture of how credentials are actually used in day‑to‑day operations. Permissions may look appropriate on paper, but that view doesn’t reveal whether an identity is behaving in unexpected ways or accessing systems it normally wouldn’t. Indefinite access means that teams lose visibility into how permissions are actually being used day-to-day, and what systems, data, or downstream services they’re accessing.

Closing this gap requires visibility into how identities actually behave across systems, so that teams can quickly spot access that falls outside of normal patterns, detect when a credential is being misused, understand the potential blast radius of an incident, and contain threats before they spread.

Key Takeaway: Building a Resilient Supply Chain in the Era of Identity-Based Threats 

As organizations connect more systems and services in the cloud, a single trusted credential can now provide access across large parts of a given organization, increasing the potential impact of any compromise.

To stay ahead of these threats, organizations must gain visibility into when a user or device identity begins operating outside of its expected patterns. This requires continuous monitoring of network activity, encrypted lateral movement, and taking action to contain a threat or misuse before unauthorized access expands across today’s increasingly complex, hybrid environments.

Learn how ExtraHop helps teams detect and investigate unusual identity activity — faster.