CERT-EU has traced the European Commission's cloud data breach to a compromised Trivy scanner distributed by TeamPCP. The attribution comes from a CERT-EU disclosure reported this week. AI startup Mercor separately confirmed on X that it was "one of thousands of companies impacted by a supply chain attack involving LiteLLM."
ShinyHunters has published EC data on its leak site. Lapsus$ claims to hold Mercor's internal files.
CERT-EU's disclosed timeline puts the start at March 19, 2026. That was the day TeamPCP began pushing poisoned Trivy packages, and the same day the EC's AWS API key was stolen. The compromise was not publicly detected until March 20.
As always, we recommend all customers to follow security, identity, and compliance best practices — including relying on temporary credentials, such as IAM roles, instead of creating long-term credentials, such as access keys. Customers can contact AWS Support with any questions or concerns about the security of their account.
— An AWS spokesperson told AnonHaven
Once installed, the poisoned Trivy harvested credentials and secrets from the EC's environment. Aqua Security's official disclosure came days after March 20. Attackers used Trufflehog, an open-source tool for finding exposed secrets, to discover additional AWS credentials. After reconnaissance, they exfiltrated data from S3 buckets and Amazon Elastic Container Service (ECS) instances.
ShinyHunters published the stolen data on its leak site. CERT-EU's advisory puts the volume at 340 GB uncompressed (91.7 GB as a compressed archive). CERT-EU confirmed the breach affected 71 clients of the Europa web hosting service. Forty-two were internal European Commission departments. At least 29 were other EU entities.
Mercor disclosed the LiteLLM connection on X on Tuesday. Lapsus$, a cybercriminal group, claimed 4 TB of Mercor's internal data. Nearly a terabyte of that was source code, according to the claim. Mercor did not respond to requests for comment. Ensar Seker, CISO at SOCRadar, called the situation "a convergence of cybercriminal ecosystems around the same access."
TeamPCP drove the initial supply chain compromises. ShinyHunters and Lapsus$ now operate in the monetisation and extortion layer, but how they obtained the stolen data remains unclear. An X post associated with TeamPCP claims the group is not collaborating with ShinyHunters and is actively in conflict with them.
A separate alliance complicates the picture further. TeamPCP announced a formal partnership with Vect, an emerging ransomware gang.
The fact that both teams are now working together raises the risk potential significantly. Vect will now have access to potentially millions of victims who can be infected with their ransomware through TeamPCP's RAT.
— Tomer Peled, security researcher, Akamai
Wiz's customer incident response team (CIRT) confirmed "multiple attacks" using stolen TeamPCP credentials. Targets included victims' AWS, Azure, and SaaS environments. The playbook matched the EC breach. Trufflehog for credential discovery, reconnaissance, then S3 and ECS exfiltration.
Mandiant CTO Charles Carmakal put a number on the scale at RSA. Google-owned Mandiant knew of "over 1,000 impacted SaaS environments" actively dealing with cascading effects from the TeamPCP compromises.
The full campaign unfolded in a single week. March 19 brought the Trivy compromise. March 23 hit Checkmarx KICS. March 24 poisoned LiteLLM on PyPI.
March 27 delivered the malicious Telnyx SDK with WAV audio steganography. The Axios npm attack on March 31 came from a separate actor.
Speed is the real lesson. In practice, the response window is now measured in hours, not days. The biggest mistake would be to remove the malicious package but leave the stolen credentials usable, because by then the attackers may already be operating inside adjacent environments.
— Ensar Seker, CISO, SOCRadar
Seker added that the old assumption of supply chain attacks as downstream integrity problems no longer holds. These cases show compromised packages leading directly to stolen secrets, cloud access, SaaS exposure, and extortion by additional actors.
The compromised PyPI package contained a three-stage remote access trojan (RAT). The Telnyx attack used WAV audio steganography to deliver the payload. Given the volume of credentials already in TeamPCP's possession, Akamai's Tomer Peled expects "more compromised libraries are likely to be discovered."
CERT-EU's timeline is the detail that should keep security teams up at night. The EC's API key was stolen on March 19, the same day TeamPCP pushed the poisoned Trivy build. Nobody knew the tool was compromised until March 20. Credential rotation that starts after public disclosure is already too late when attackers move within hours of the initial compromise.
— Adam Bream, AnonHaven
Trivy, KICS, LiteLLM, Telnyx SDK users during March 2026 should assume credentials are compromised. Rotate all secrets immediately, invalidate tokens, and reissue cloud credentials. Review GitHub Actions and package publishing workflows. Hunt for suspicious activity in cloud and SaaS environments.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
