Foreword
In the interest of transparency, and in full agreement with the European Commission, CERT-EU is publishing this blog post to inform the wider community about a cybersecurity incident affecting the European Commission’s public website platform “europa.eu” hosted on Amazon Web Services (AWS) cloud infrastructure.

CERT-EU was notified of this incident on 25 March 2026 by the European Commission, in accordance with Article 21 of Regulation (EU, Euratom) 2023/2841 (the “Cybersecurity Regulation”), which requires the Union institutions, bodies, offices and agencies (Union entities) to report significant incidents to CERT-EU without undue delay. CERT-EU has been providing support in accordance with Article 22 of the same Regulation.

On March 27, the European Commission publicly disclosed the incident through a press release.

Key points
On March 24, the European Commission’s Cybersecurity Operations Centre received alerts about potential misuse of Amazon APIs, potential account compromise, and an abnormal increase in network traffic. On March 25, CERT-EU was informed.
We assess with high confidence that initial access was obtained through the Trivy supply-chain compromise, which was publicly attributed to a threat actor known as TeamPCP.
A significant volume of data (about 91.7 GB compressed) was exfiltrated from the compromised AWS account, including personal data such as names, email addresses, and email content.
On March 28, the data extortion group ShinyHunters made the stolen data publicly available on their dark web leak site.
The compromised account is part of the technical infrastructure that drives multiple websites of the European Commission. Data pertaining to at least 29 other Union entities may be affected.
We assess that the rise in supply-chain compromises poses a significant threat. We strongly encourage all organisations to implement the recommendations in this post.
What happened
On March 25, CERT-EU received a notification from the European Commission that one of their AWS cloud accounts had been compromised. The first alerts, indicating potential misuse of Amazon APIs, potential account compromise, and an unusual volume of network traffic, had been detected by their Cybersecurity Operations Centre (CSOC) team the previous day.

An investigation uncovered that a malicious actor acquired an Amazon Web Services (AWS) secret (an API key) on March 19 through the Trivy supply chain compromise. This key granted control over other AWS accounts affiliated with the European Commission. On the same day, the threat actor attempted to discover additional secrets by launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS). STS is an AWS service that generates short-lived security credentials for accessing AWS resources and verifying identities.

The threat actor used the compromised AWS secret to create and attach a new access key to an existing user, aiming to evade detection. They then carried out reconnaissance activities.

The European Commission swiftly revoked the compromised account’s rights to block any illegitimate access. All compromised access keys have been deactivated or deleted.

How it happened
The European Commission and CERT-EU have assessed with high confidence that the initial access vector was the Trivy supply-chain compromise, publicly attributed to TeamPCP by Aqua Security. The firm has provided comprehensive details on this compromise in its advisory.

This assessment is based on three main factors:

The timing of the Trivy supply-chain compromise coincides with the observed initial compromise on March 19.
The specific resources being targeted: AWS credentials and cloud infrastructure.
The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.
According to Aqua Security, TeamPCP's tooling is designed to operate within CI/CD pipelines and exfiltrates harvested secrets via multiple channels, including typosquatted domains, GitHub repositories, and Cloudflare tunnels.

What data was taken
The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities.

On March 28, the data extortion group ShinyHunters published the exfiltrated dataset on their dark web leak site, claiming to have stolen “data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material”. The published dataset was approximately 91.7 GB compressed (340 GB uncompressed).

Analysis of the published dataset has so far confirmed the presence of personal data, including lists of names, last names, usernames, and email addresses, predominantly from the European Commission’s websites but potentially pertaining to users across multiple Union entities.

The dataset also contains at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, “bounce-back” notifications, which are responses to incoming messages from users, may contain the original user-submitted content, posing a risk of personal data exposure.

The analysis of the databases linked to the hosted websites is underway. Given the volume and intricate nature of the data involved, this process requires a considerable amount of time.

Lateral movement
The threat actor obtained management rights for the compromised AWS secret, which could have allowed them to move laterally to other AWS accounts belonging to the European Commission. However, no indication of such movement has been uncovered so far.

What the European Commission did
The European Commission took the following response actions:

Immediately secured the compromised AWS secret and disabled the newly created access keys involved in the threat actor’s activities.
Sent a breach notification to their Data Protection Controller (DPC) and the potentially affected Union entities’ Data Protection Officers (DPOs).
Notified the European Data Protection Supervisor (EDPS), as required under Regulation (EU) 2018/1725 for personal data breaches involving Union institutions.
Starting on March 31, began communicating directly with the identified impacted clients of the Europa web hosting service through dedicated meetings to inform them of the incident and the measures taken.
The European Commission’s press release of March 27 confirmed that its internal systems were not affected and that it would continue to monitor the situation and take all necessary measures to ensure the security of its systems and data.

Who else is affected
The compromised AWS cloud account forms part of the technical backend of the “europa.eu” web hosting service. This service supports several public websites of the European Commission and other Union entities. As noted above, exfiltrated data may pertain to 42 internal clients of the European Commission, and at least 29 other Union entities using the service.

No websites were taken offline or tampered with by the threat actor, and no service interruptions have been observed.

The European Commission has already initiated direct communications with the identified impacted clients (see Response section above), facilitated where relevant by CERT-EU. Should the ongoing analysis of the exfiltrated databases yield further findings, additional details on specific exposure will be shared directly with the affected parties.

Timeline
Date Event
2026-03-19 The threat actor obtained a compromised AWS secret (API key) with management rights over other AWS accounts belonging to the European Commission, via the Trivy supply-chain compromise. On the same day, the threat actor launched TruffleHog to scan for additional secrets and began reconnaissance activities.
2026-03-24 The European Commission’s CSOC team received alerts indicating potential misuse of Amazon APIs, potential account compromise, and an unusually large volume of network traffic. An incident response process was initiated.
2026-03-25 CERT-EU was informed by the European Commission that at least one AWS cloud account had been compromised. The European Commission secured the compromised AWS secret and disabled the newly created access keys.
2026-03-27 The European Commission published a press release disclosing the incident.
2026-03-28 Data extortion group ShinyHunters released the exfiltrated dataset publicly on their dark web leak site.
2026-03-31 The European Commission began communicating directly with impacted clients of the Europa web hosting service through dedicated meetings.
Tactics, Techniques and Procedures (TTPs)
ATT&CK ID Technique
T1586.003 Compromise Accounts: Cloud Accounts
T1078.004 Valid Accounts: Cloud Accounts
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
T1005 Data from Local System
What to do
Immediate
Address the Trivy supply-chain compromise. As a priority, organisations using Trivy should:

Update to a known-safe version as identified by Aqua Security.
Rotate all AWS secrets and credentials that may have been exposed to Trivy during the compromise window.
Audit Trivy versions deployed across all environments, including CI/CD pipelines.
Pin all GitHub Actions to full SHA hashes rather than mutable tags.
Search CI/CD logs and environments for exfiltration artefacts associated with TeamPCP (e.g., connections to typosquatted domains, unexpected Cloudflare tunnel activity).
Audit and rotate AWS credentials. Review all AWS access keys, particularly those accessible from CI/CD pipelines. Deactivate any keys that are unused, over-privileged, or that may have been exposed. Enable and review AWS CloudTrail logs for indicators consistent with this incident, including anomalous STS calls, use of TruffleHog, creation of new access keys on existing users, and lateral movement.

Short-term
Restrict CI/CD pipeline access to cloud credentials. Review whether CI/CD pipelines have access to AWS secrets. Where they do, ensure credentials are scoped to the minimum required permissions. Consider implementing AWS Service Control Policies (SCPs) to restrict sensitive API actions at the organisation level.

Implement vendor risk management for CI/CD dependencies. Establish release verification and vendor risk assessment processes for third-party CI/CD tooling. This includes verifying signatures on tool updates, maintaining an inventory of pipeline dependencies, and subscribing to security advisories for critical components. The Trivy compromise demonstrates that trusted vendors can become vectors for malicious code distribution.

Implement behavioural monitoring for CI/CD environments. Deploy behavioural monitoring and real-time alerting to detect anomalous CI/CD activity, such as unexpected secret access, outbound connections to unknown endpoints, or atypical API usage patterns. This enables early identification of supply-chain compromises before data exfiltration occurs.

Continuously
Enforce least privilege and credential hygiene. Apply least privilege principles across all cloud accounts and CI/CD service accounts. Implement regular credential rotation schedules, restrict access to credential storage mechanisms, and monitor for suspicious credential-related activity. Refer to MITRE mitigations M1043 (Credential Access Protection) and M1018 (User Account Management) for additional guidance.

Monitor for secondary exploitation of disclosed data. Given that the exfiltrated dataset has been publicly released, organisations whose data may be affected should monitor for targeted phishing or social engineering attempts leveraging the disclosed personal information (names, e-mail addresses, e-mail content). Raise awareness among staff accordingly.

Maintain software update and vulnerability scanning practices. Ensure all systems, applications, and CI/CD tooling are kept up to date with security patches. Conduct regular vulnerability scans to identify misconfigurations, unpatched software, or other weaknesses. Refer to MITRE mitigations M1051 (Update Software) and M1016 (Vulnerability Scanning) for additional guidance.

Legal framework
This incident and CERT-EU’s involvement fall within the framework of Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council of 13 December 2023, laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. Relevant provisions include:

Article 21 (Reporting obligations) – requires Union entities to notify CERT-EU of significant incidents without undue delay, within 24 hours of becoming aware of them.
Article 22 (Incident response coordination and cooperation) – mandates CERT-EU to provide support to the affected Union entity and to coordinate the response with relevant stakeholders.
Article 17 (Cooperation with Member State counterparts) – provides for CERT-EU to cooperate and exchange incident-specific information with national CSIRTs and competent authorities.
Article 20 (Cybersecurity information-sharing arrangements) – enables the voluntary sharing of cybersecurity information between Union entities and with relevant counterparts to improve collective detection and response capabilities.

A compromise of an account has led to improper downloads of a large number of crash records, and the Texas Department of Transportation (TxDOT) is working to notify those affected.

On May 12, 2025, TxDOT identified unusual activity in its Crash Records Information System (CRIS). Further investigation revealed the activity originated from an account that was compromised and used to improperly access and download nearly 300,000 crash reports. TxDOT immediately disabled access from the compromised account.

Personal information included in crash records may contain: first and last name, mailing and/or physical address, driver license number, license plate number, car insurance policy number and other information. Notification, in this case, is not required by law, but TxDOT has taken proactive steps to inform the public by sending letters to notify the impacted individuals whose information was included in the crash reports.

If you received
a
letter about this matter, please call the dedicated assistance line at 1-833-918-5951 (toll-free), Monday through Friday, from 8 a.m. – 8 p.m. Central Time (excluding U.S. holidays). Please be prepared to provide the engagement number included in the letter.

TxDOT is implementing additional security measures for accounts to help prevent similar incidents in the future. The compromise is under investigation.

Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.

The hackers gained access to the airport security police's payroll records and deducted small amounts from employee salaries.

Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which…

A scathing rebuke by the U.K. data protection watchdog reveals what led to the compromise of tens of millions of U.K. voters' information.

Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accoun...

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

As a result, today we are publishing details of activity by a sophisticated nation-state sponsored threat actor that gained unauthorized access to our systems to target a small and specific set of our customers. Prior to sharing this information, we notified and worked with the impacted customers. We have also been working with our incident response (IR) partners and law enforcement on both our investigation and steps designed to make our systems and our customers’ operations even more secure. The attack vector used by the threat actor has been mitigated.

The 3CX VoIP Desktop Application has been compromised to deliver malware via legitimate 3CX updates. Huntress has been investigating this incident and working to validate and assess the current supply chain threat to the security community.

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.

Hidden DNS resolvers and how to compromise your infrastructure

In 2017, a team of New York Times journalists revealed that, beginning in 2010, Beijing’s counterintelligence apparatus had systematically rolled up the CIA’s sources in China.

Today, March 22, 2022 at 03:30 UTC we learnt of a compromise of Okta. We use Okta internally for employee identity as part of our authentication stack. We have investigated this compromise carefully and do not believe we have been compromised as a result. We do not use Okta for customer accounts; customers do not need to take any action unless they themselves use Okta.