On March 27, 2026, the European Commission officially confirmed a cyberattack against its cloud infrastructure hosting the Europa.eu web platform. The following day, threat group ShinyHunters published a 90GB compressed archive on a dark web leak site.
Two Threat Actors, One Breach
CERT-EU's investigation attributed the initial intrusion to TeamPCP, a separate threat group that gained access through a supply chain compromise of the Trivy vulnerability scanner. The attack chain:
- TeamPCP compromised the Trivy scanner used by the EC
- The poisoned Trivy installation extracted an AWS secret API key (around March 19)
- TeamPCP used the key to access EC AWS accounts beginning March 10
- Approximately 350GB of data was exfiltrated before detection on March 24
- ShinyHunters subsequently obtained and published the data on March 28
What Was Exposed
According to Cybernews and CERT-EU, the leaked archive contained:
- Email server content from EC domains
- DKIM signing keys for EC email domains — enabling potential email forgery from official @ec.europa.eu addresses
- Confidential internal documents and contracts
- Single Sign-On (SSO) user directory data
- AWS configuration snapshots
- NextCloud collaboration platform data
- Employee personally identifiable information
Scope
CERT-EU reported that 42 internal EC clients and 29 other Union entities (EU agencies and institutions using Europa.eu hosting) were potentially affected — up to 71 organisations in total. The Commission stated that internal administrative systems were not affected and that no service disruption occurred.
Context
The breach is notable for two reasons. First, it demonstrates the growing risk of software supply chain attacks — the attacker did not target the EC directly but compromised a widely used open-source security tool (Trivy) as an intermediary. Second, the exposure of DKIM signing keys creates an ongoing risk of email impersonation from legitimate EC domains until those keys are rotated.
For organisations in the EU regulatory ecosystem, this incident underscores why NIS2 Article 21 requires supply chain security measures and why ISO 27001 Annex A control 5.21 addresses information security in the ICT supply chain.