Supply Chain Attack via Trivy Compromise Leads to 340 GB Data Leak from European Commission Cloud
What Happened – A compromised version of the open‑source Trivy container scanner was used as a supply‑chain foothold to steal AWS credentials belonging to the European Commission (EC). Attackers (attributed to ShinyHunters/TeamPCP) accessed EC’s AWS accounts, exfiltrated roughly 340 GB of data—including personal identifiers and email‑bounce files—and published the dump on a dark‑web leak site.
Why It Matters for TPRM –
- Third‑party tooling can become a covert entry point to critical cloud environments.
- Compromise of cloud API keys enables wholesale data extraction without immediate detection.
- Public exposure of EU‑level personal data triggers regulatory, reputational, and contractual fallout for any downstream service providers.
Who Is Affected – Government/Public sector (European Commission) and any SaaS or cloud‑service vendors that integrate or rely on the same Trivy scanner or share the compromised AWS infrastructure.
Recommended Actions –
- Audit all third‑party open‑source security tools for integrity; enforce signed releases and hash verification.
- Rotate and tightly scope all cloud API keys; implement credential‑access‑monitoring (e.g., AWS IAM Access Analyzer).
- Conduct a data‑loss assessment for any downstream partners handling EC‑derived data; update breach‑notification procedures.
Technical Notes – Initial access stemmed from a supply‑chain compromise of AquaSec’s Trivy scanner (third‑party dependency). Attackers harvested an AWS API key, used TruffleHog to locate additional secrets, created a new access key, and performed reconnaissance. No lateral movement beyond the compromised account was observed, and the EC revoked the keys promptly. Leaked data includes names, usernames, email addresses, and ~52 k email‑bounce files (2.22 GB). Source: Help Net Security