CERT-EU has attributed the European Commission cloud breach to TeamPCP, the same threat group behind the Trivy and LiteLLM supply chain attacks, and confirmed the incident affected data belonging to at least 71 clients across the Europa web hosting service. The findings significantly expand the scope of what was initially disclosed on March 27 as a contained intrusion into the Commission’s AWS environment.
How TeamPCP Got In
The attack began on March 10 when TeamPCP used a compromised AWS API key with management rights over European Commission accounts. That key was stolen as part of the earlier Trivy supply chain attack. Once inside, the group used TruffleHog, a tool designed to scan and validate cloud credentials, to search for additional secrets. They then attached a newly created access key to an existing user account to evade detection before conducting reconnaissance and exfiltrating data.
The Commission’s Cybersecurity Operations Center was not alerted to any API misuse, account compromise indicators, or abnormal network traffic until March 24, 5 days after the initial intrusion. The Commission notified CERT-EU 2 days later on March 26, and publicly disclosed the incident on March 27.
Scope of the Breach
CERT-EU confirmed that the breach potentially affects 42 internal European Commission clients and at least 29 other Union entities using the Europa web hosting service. The stolen dataset, published by ShinyHunters on their dark web leak site on March 28 as a 90 gigabyte compressed archive expanding to approximately 340 gigabytes uncompressed, contains names, email addresses, usernames, and email content.
The screenshot below shows the European Commission listing on the ShinyHunters leak site, published March 28. The listing describes the compromised data as including mail server dumps, databases, confidential documents, and contracts, and lists the archive as 350 gigabytes uncompressed. ShinyHunters’ description goes beyond what CERT-EU has confirmed so far, and the full contents of the archive are still being analyzed.
CERT-EU’s analysis confirmed at least 51,992 files related to outbound email communications totaling 2.22 gigabytes. Most are automated notifications, but bounce-back messages may contain original user-submitted content, creating an additional layer of personal data exposure. No websites were taken offline or tampered with as a result of the incident, and no lateral movement to other Commission AWS accounts has been detected.
TeamPCP’s Expanding Campaign
The European Commission breach is part of a broader TeamPCP campaign targeting developer infrastructure across GitHub, PyPI, NPM, and Docker. The same group compromised the LiteLLM PyPI package in an attack that impacted tens of thousands of devices and led directly to the Cisco source code breach and the confirmed compromise of AI training platform Mercor, whose clients include OpenAI, Anthropic, and Meta.
The European Commission has notified relevant data protection authorities and is in direct communication with affected entities. Analysis of exfiltrated databases and files is ongoing and CERT-EU noted it will likely require a considerable amount of time to complete.
