European Commission breached in supply chain attack on security tool Trivy

Hackers compromised the European Commission by poisoning Trivy, an open-source security scanning tool used by the institution to protect its systems, according to CERT-EU attribution. The supply chain attack represents a sophisticated compromise of a tool explicitly deployed for defensive purposes, demonstrating the expanding threat surface of security software itself. The breach adds to mounting concerns about the integrity of open-source security tools that underpin critical government infrastructure worldwide. European officials have not disclosed the extent of data accessed or systems compromised in the incident. The attack follows a pattern of advanced persistent threats targeting governmental bodies through trusted software dependencies, raising urgent questions about verification mechanisms for security tool updates.