preloader

· security devops supply-chain aws cicd github-actions cve europe cloud

Trivy CVE-2026-33634: How a Poisoned Security Scanner Breached the European Commission’s AWS Cloud

Source: Cybernews / CERT-EU

CERT-EU confirmed in its April 3, 2026 advisory that the European Commission’s AWS cloud breach, which saw ShinyHunters publish 350 GB of stolen data, originated from a tampered version of Trivy, the widely-used open-source vulnerability scanner published by Aqua Security. The attack has since been linked to the threat actor group TeamPCP and has been assigned CVE-2026-33634 with a CVSS score of 9.4.

The incident is one of the most consequential supply chain attacks targeting European cloud infrastructure on record. It demonstrates a threat model that bypasses perimeter controls entirely by compromising the security tooling that CI/CD pipelines trust most.

How the attack worked

TeamPCP exploited a misconfigured GitHub Actions workflow environment inside the aquasecurity/trivy repository to obtain repository secrets with write access to the release pipeline. Using those credentials, the group force-pushed malicious binaries onto 76 of 77 existing version tags in the aquasecurity/trivy-action repository and all seven tags of aquasecurity/setup-trivy.

The rogue binaries contained an infostealer designed to harvest environment variables, cloud provider credentials, API tokens, and SSH keys from any build environment in which they executed. Exfiltrated secrets were encrypted and sent to an attacker-controlled domain closely mimicking Aqua Security’s legitimate scanning domain: scan.aquasecurtiy[.]org.

Because CI/CD pipelines that reference aquasecurity/trivy-action or aquasecurity/setup-trivy by version tag pull those artifacts automatically on each run, any pipeline configured this way received the malicious binary without any indication that the upstream artifacts had been modified. The attack exploited the trust that pinned tag references are meant to establish, by subverting those references at the source.

TeamPCP did not stop at Trivy. Using credentials stolen through compromised pipelines, the group pivoted into Checkmarx’s open-source KICS project and injected the same credential-stealing payload into the ast-github-action and kics-github-action repositories. SANS Institute researchers subsequently estimated that more than 10,000 CI/CD workflows were exposed across both toolchains.

From a CI/CD pipeline to the European Commission’s AWS infrastructure

The European Commission’s Europa.eu web hosting service used Trivy as part of its CI/CD security scanning workflow. On 19 March 2026, the Commission’s build pipelines pulled a compromised Trivy artifact, and the infostealer harvested AWS API keys from the build environment.

TeamPCP used those keys to gain access to an AWS account that held management rights over affiliated accounts in the Commission’s cloud estate. They then deployed TruffleHog to sweep for additional credentials across the accessible environment, escalating into databases, email backups, internal document stores, and an SSO user directory. CERT-EU’s advisory confirmed that 350 GB of uncompressed data was exfiltrated across 71 client environments hosted on Europa.eu infrastructure.

ShinyHunters subsequently published the stolen data in a series of release archives on dark web leak sites. Researchers who examined the published data reported that it included emails and attachments from cloud-hosted mail services, the full SSO user directory, DKIM private signing keys, AWS configuration snapshots, NextCloud and Amazon Athena data, and internal administrative documentation.

Why the DKIM key exposure matters beyond the breach itself

The exposure of DKIM private signing keys deserves specific attention. DKIM keys are used to cryptographically sign outgoing email on behalf of a domain. A recipient’s mail server verifies this signature to confirm that a message actually originated from the stated sending domain.

An attacker holding stolen DKIM private keys can generate emails that will pass DKIM verification as if they were sent by legitimate Commission infrastructure. This enables highly convincing phishing and impersonation campaigns against everyone who has received genuine email from Commission addresses, because the spoofed messages will be authenticated by mail server checks that recipients and security teams commonly rely on as evidence of legitimacy.

This is a follow-on attack surface that will remain open until the compromised DKIM keys are rotated out of DNS and replaced.

The structural weakness this attack exploited

The Trivy attack demonstrates a pattern that is becoming increasingly common in threat intelligence reporting: attackers targeting the security tooling embedded in CI/CD pipelines rather than the application code those pipelines produce.

Security tools occupy a privileged position in the build environment. A vulnerability scanner, dependency analyser, or static analysis tool running in a CI/CD pipeline typically has access to the same environment variables and secrets as the rest of the pipeline, and often requires elevated access to perform its function. An attacker who can tamper with one of these tools gains access to every credential that flows through pipelines consuming it.

The attack vector is not specific to Trivy or Aqua Security. Any GitHub Action consumed by version tag reference rather than pinned to a specific commit SHA is vulnerable to this pattern if the upstream repository’s workflow environment is compromised.

Steps your team should take

If your CI/CD pipelines used aquasecurity/trivy-action, aquasecurity/setup-trivy, or Checkmarx KICS GitHub Actions between 19 and 24 March 2026, treat all secrets present in those build environments during that window as compromised. Rotate AWS and cloud provider credentials immediately. Rotate SSH keys used for deployment. Rotate container registry credentials and any tokens used to authenticate to downstream services.

Audit CloudTrail and build logs for unexpected access or data transfer activity during the exposure window. Review whether any of the affected GitHub Actions are still referenced in active pipelines.

As a structural measure, pin all third-party GitHub Actions to specific commit SHAs rather than version tags. A commit SHA cannot be retroactively changed to point to different code. A version tag can. Tools such as Step Security’s pin-github-action automate SHA pinning across your repositories and substantially reduce the risk surface for this class of attack.

If your organisation is unsure whether its pipelines were in scope, needs help with a credential rotation, or wants an independent assessment of its CI/CD and GitHub Actions security posture, contact Excello Digital. We help European engineering and security teams respond to supply chain incidents and design pipeline environments that are structurally resilient to this class of attack.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!