Protect.Computer
NEWS

CERT-EU confirms European Commission cloud breach linked to Trivy supply-chain compromise

· 1 min read · Credential theft Data breach
CERT-EU confirms European Commission cloud breach linked to Trivy supply-chain compromise

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

CERT-EU reported that a European Commission AWS cloud account tied to the europa.eu web platform was compromised after attackers obtained credentials through the earlier Trivy supply-chain attack.

According to CERT-EU, attackers used the compromised access to perform reconnaissance and exfiltrate a large dataset (about 91.7 GB compressed, ~340 GB uncompressed). The exposed data may include records related to dozens of EU entities that use the shared hosting service.

Why this matters

This is a practical example of a “second-order” supply-chain impact: even if your own code was not directly backdoored, credentials exposed in CI/CD tooling can still become a path to cloud-account takeover and data theft.

For organizations using Trivy, GitHub Actions, or similar pipeline tooling, this is not just a headline about Brussels — it is a warning about credential scope, key rotation speed, and cloud monitoring gaps.

How to check if you’re affected

You may be affected if your team ran Trivy versions before the vendor-safe releases (for example, versions before v0.69.2 / affected trivy-action builds) and any CI/CD jobs had access to AWS keys, cloud tokens, or secrets.

  1. Inventory all Trivy usage across CI/CD (including old workflows, forks, and self-hosted runners).
  2. Confirm versions/actions were updated to known-safe releases from vendor guidance.
  3. Rotate all AWS keys/tokens that may have been exposed to affected pipeline jobs.
  4. Review CloudTrail and IAM activity for suspicious key creation, unusual STS calls, or unfamiliar automation users.
  5. Check for abnormal outbound traffic from build systems and signs of secret-scanning tools running unexpectedly.

Immediate defensive actions

  • Pin security tooling and GitHub Actions to immutable commit SHAs, not mutable tags.
  • Reduce secret scope in pipelines (least privilege + short-lived credentials).
  • Alert on IAM key creation/attachment events and cross-account API anomalies.
  • Re-run incident-response checks even if no obvious outage occurred (this incident had no website downtime but still involved data theft).

Sources

Bottom line

Supply-chain incidents can keep causing damage long after the initial compromise is disclosed. If your pipelines handled sensitive cloud credentials, treat this as a rotate-and-verify event now, not later.

Related reading

News
CISA adds Trivy CVE-2026-33634 to KEV after supply-chain compromise

CISA added CVE-2026-33634 affecting Aqua Security Trivy to the Known Exploited Vulnerabilities catalog, signaling active exploitation risk and urgent patching/credential-rotation needs.

News
TrueConf CVE-2026-3502 zero-day abused to push malicious updates from trusted servers

Researchers report active exploitation of CVE-2026-3502 in TrueConf, where attackers can abuse an on-prem server trust path to deliver malicious client updates to connected endpoints.

News
React2Shell exploit hits 766 Next.js servers in 24 hours — mass credential theft campaign confirmed (CVE-2025-55182)

Cisco Talos documents threat group UAT-10608 exploiting CVE-2025-55182 (React2Shell, CVSS 10.0) to breach 766 Next.js hosts in a single day, stealing database credentials, SSH keys, AWS secrets, Stripe API keys, and more. CISA KEV listed. Any Next.js 13.3+ app using App Router is vulnerable by default.

News
Hims & Hers discloses Zendesk-related data exposure risk

Hims & Hers disclosed a customer-support platform exposure scenario tied to third-party ticketing infrastructure and advised users to review account security controls.