The European Commission has been breached in a coordinated attack by cybercriminal groups TeamPCP and ShinyHunters, resulting in the exfiltration of approximately 92 gigabytes of sensitive data spanning 29 EU entities. The compromise originated through a supply-chain attack involving a stolen AWS API key linked to the open-source security tool Trivy, exposing tens of thousands of emails and personal identifiers tied to EU governance operations.

What Happened

TeamPCP gained initial access by compromising an AWS API key connected to the European Commission's cloud infrastructure. The entry point was a supply-chain compromise involving Trivy, a widely used open-source container security scanner. By exploiting trust in this developer tooling, the attackers bypassed perimeter defenses and moved laterally across Commission systems. ShinyHunters subsequently published the stolen data, indicating either a handoff between the two groups or a coordinated dual-actor operation. The breach affected at least 29 EU entities, making this one of the most significant intrusions into European governance infrastructure in recent years.

What Was Taken

The exfiltrated dataset totals roughly 92 gigabytes and includes:

• Tens of thousands of email communications from Commission staff and affiliated personnel
• Personal identifiers including names, contact information, and internal credentials
• Internal communications spanning multiple EU institutional bodies
• Data from at least 29 distinct EU entities, suggesting broad lateral movement across federated systems

The breadth of affected entities indicates this was not a smash-and-grab targeting a single database but a systematic extraction across interconnected cloud environments.

Why It Matters

This breach is significant on multiple levels. First, it demonstrates that state-level institutions operating federated cloud architectures remain vulnerable to single-credential compromises that cascade across dozens of sub-organizations. A single stolen API key unlocked access to 29 entities. Second, the supply-chain vector through Trivy highlights persistent risk in the open-source dependency chain. Organizations implicitly trust the tooling they use to secure themselves, and attackers are increasingly targeting that trust relationship. Third, the dual-actor model, with TeamPCP executing the intrusion and ShinyHunters handling data publication, reflects a maturing cybercriminal ecosystem where specialization and handoffs between groups accelerate the impact of breaches. For EU member states and allied governments, this incident raises urgent questions about credential lifecycle management, cloud access governance, and the integrity of security tooling itself.

The Attack Technique

The kill chain followed a supply-chain compromise model:

1. Initial access: The attackers compromised an AWS API key associated with Trivy, the open-source security scanning tool used within the Commission's development pipeline.
2. Credential exploitation: Using the stolen API key, TeamPCP authenticated to the Commission's AWS cloud environment, bypassing conventional perimeter controls.
3. Lateral movement: From the initial foothold, the attackers pivoted across interconnected systems serving at least 29 EU entities, exploiting the federated trust model of the Commission's cloud architecture.
4. Data exfiltration: Approximately 92 gigabytes of data, including emails, personal identifiers, and internal communications, were extracted.
5. Publication: ShinyHunters subsequently published the stolen data, amplifying the breach's impact and suggesting coordination or a deliberate handoff between the two groups.

The technique underscores a growing trend: attackers are not breaking down the front door but instead compromising the tools organizations trust to guard it.

What Organizations Should Do

• Audit API keys and secrets tied to third-party tools: Identify every credential associated with open-source or vendor tooling in your CI/CD pipeline and rotate them on an enforced schedule.
• Implement least-privilege access for cloud credentials: No single API key should provide lateral access to 29 organizational units. Segment cloud access with granular IAM policies and enforce blast-radius limits.
• Monitor supply-chain integrity continuously: Treat open-source dependencies and security tooling as attack surface. Deploy software composition analysis and monitor for anomalous behavior in trusted tools.
• Deploy canary tokens and honeypots in cloud environments: Early detection of unauthorized API key usage can dramatically reduce dwell time and data loss.
• Enforce MFA and conditional access on all cloud API endpoints: API keys alone should never be sufficient for accessing sensitive data stores.
• Establish cross-entity incident response protocols: Federated organizations must have pre-coordinated playbooks for breaches that span multiple sub-entities to avoid delayed response and fragmented containment.

Sources: European Commission Hacked: Massive Data Breach by TeamPCP and ShinyHunters (2026)