European Commission Cloud Hack Exposed Data of 30 EU Entities, CERT-EU Says

The European Union's cybersecurity service CERT-EU has attributed a breach of European Commission cloud infrastructure to a threat group it tracks as TeamPCP, confirming that the intrusion exposed data belonging to at least 29 other EU entities beyond the Commission itself, according to BleepingComputer. The attack was enabled through a supply chain compromise involving Trivy, an open source security scanning tool widely used in cloud and container environments. Attackers injected malicious code into the supply chain, allowing them to gain access to European Commission cloud systems and pivot to affiliated EU institutions and agencies. The breadth of the breach -- spanning 30 entities across the European Union's institutional infrastructure -- makes it one of the more significant cyber incidents to hit European government systems in recent years. The Commission and affiliated bodies handle sensitive policy deliberations, legislative documents, and diplomatic communications. CERT-EU said it is working with affected entities to contain the breach and assess the full scope of data exposure. The organization did not specify which 30 entities were affected, citing ongoing investigation and sensitivity concerns. The Trivy supply chain vector is particularly concerning because the tool is used extensively in DevOps pipelines for security scanning -- the very process meant to protect software builds. Supply chain attacks on security tooling represent a high-value tactic, as they can provide access to multiple downstream targets through a single trusted component.