CERT-EU: European Commission Hack Exposes Data of 30 EU Entities

European Commission Cloud Breach: 30 EU Entities Hit by TeamPCP

A stolen AWS API key. A supply-chain poisoned weeks earlier. Thirty EU entities compromised. This is the fallout from one of the most significant cloud breaches in EU institutional history - and the attack chain is a masterclass in how modern threat actors move quietly and fast.

What Happened

On March 10, the threat group TeamPCP used a compromised AWS API key - one with management rights over multiple European Commission accounts - to breach the Commission's Amazon cloud environment. That key was stolen in the Trivy supply-chain attack, meaning the intrusion started long before anyone noticed.

The Commission's Cybersecurity Operations Center wasn't alerted until March 24 - five days after the initial intrusion. That's a brutal detection gap.

Here's the attack chain:

• Access via stolen AWS key with management-level permissions across multiple accounts
• TruffleHog used to scan for additional secrets inside the environment
• New access key attached to an existing user to blend into normal IAM activity and evade detection
• Reconnaissance and data exfiltration of tens of thousands of files
• ShinyHunters published the stolen dataset on March 28 - a 90GB archive containing names, emails, and email content from up to 71 hosting clients

CERT-EU confirmed at least 51,992 email-related files were exfiltrated, some containing original user-submitted content from bounce-back notifications.

TeamPCP has previously hit GitHub, PyPI, NPM, Docker, and compromised the LiteLLM PyPI package with their "TeamPCP Cloud Stealer" malware.

How Developers Can Avoid This

This breach wasn't a zero-day exploit. It was a chain of avoidable misconfigurations and blind spots. If you're running anything on AWS, this is your checklist:

• Rotate API keys aggressively - long-lived keys are a liability. Use short-lived credentials via IAM roles wherever possible
• Audit your supply chain dependencies - tools like Trivy, TruffleHog, and similar scanners are dual-use. Know what has access to your secrets
• Enable AWS CloudTrail and GuardDuty - unusual API calls, new access key creation, and cross-account activity should trigger alerts immediately
• Apply least-privilege IAM policies - no API key should have management rights across multiple accounts
• Scan your repos and CI/CD pipelines for secret leakage using tools like git-secrets or trufflehog before attackers do it for you
• Monitor for IAM anomalies - attaching new keys to existing users is a red flag that automated detections should catch

The five-day detection gap here is the real threat. When you don't have visibility into API-level abuse, attackers operate freely inside your perimeter.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeWShield.