The European Commission hacked: when the regulator becomes proof of what it denounces
340 GB of data exfiltrated, 30 European entities hit, DKIM keys in the wild. The European Commission that drafts NIS 2, the Cyber Resilience Act and the cybersolidarity regulation has just proven, at its own expense, that directives do not…

340 GB of data exfiltrated, 30 European entities hit, DKIM keys in the wild. The institution that drafts NIS 2, the Cyber Resilience Act and the cybersolidarity regulation has just proven, at its own expense, that directives do not protect against configuration errors.
A few days ago, the TeamPCP group made tech headlines by compromising LiteLLM, the most popular Python package in the AI ecosystem, through the prior compromise of the vulnerability scanner Trivy. A cascading supply chain attack, credential pivoting, three links, one week. 3.4 million downloads a day. The affair already had plenty to worry about.
But what followed is worse.
On 3 April 2026, CERT-EU published its analysis report on the cyberattack that struck the European Commission in late March. And the conclusion is unambiguous: the intrusion into the Commission's AWS cloud infrastructure came through the same door as LiteLLM. Trivy compromised, AWS API key stolen, lateral pivot, massive exfiltration. Same campaign. Same group. Same vector.
The European Commission, the institution that writes the cybersecurity rules for 450 million Europeans, was compromised by a supply chain attack identical to the one that hit an open source Python library the previous week. And it took five days to notice.
The timeline, as CERT-EU reconstructs it
Initial access dates back to 19 March 2026. As part of its normal processes, the Commission downloaded a compromised version of Trivy. The tool, hijacked by TeamPCP during the campaign documented by Wiz, Snyk and Palo Alto Networks, allowed the attackers to harvest an AWS API key tied to the Europa.eu infrastructure.
That key had management rights over other Commission AWS accounts. The attackers then used TruffleHog to scan the environment for additional secrets, validated the AWS credentials via the Security Token Service, then created and attached a new access key to an existing user in order to blend into legitimate traffic.
The Commission's Security Operations Centre triggered no alert before 24 March. Five days after the initial intrusion. CERT-EU was notified on 25 March. Access was revoked the same day.
On 28 March, ShinyHunters, the extortion group that operates BreachForums, published the stolen data on its dark web leak site. 90 GB compressed, around 340 GB uncompressed.
What was stolen (and why it is worse than an ordinary breach)
CERT-EU confirms that the dataset contains personal data (first names, surnames, usernames, email addresses) coming mainly from the Commission's websites but potentially linked to users across multiple Union entities. 51,992 files linked to outgoing email communications, totalling 2.22 GB. Most are automatic notifications, but the "bounce-back" messages contain the original content submitted by users, which creates a real risk of exposing personal data.
In total, 71 clients of the Europa hosting service are potentially affected: 42 entities internal to the Commission and at least 29 other Union bodies. Among the agencies potentially hit, according to researchers' analyses: the European Medicines Agency, the European Banking Authority, ENISA itself, and Frontex.
But the most critical point is not in the emails. It is the Commission's DKIM keys that were exfiltrated. DKIM (DomainKeys Identified Mail) is the cryptographic mechanism that authenticates that an email really comes from the domain it claims to represent. With these keys, an attacker can forge emails that pass the authentication checks of the European Commission's official domains. Emails that the spam filters of 27 member governments, of NATO, of business partners, of regulators, of thousands of lobbyists will let through because they are technically authentic.
This is industrial-scale spear-phishing with a cover of authenticity that even the most advanced systems will not detect, until the Commission has carried out a full rotation of all affected DKIM keys. And to date, it has not confirmed doing so.
The same campaign, over and over
CERT-EU's attribution is clear: TeamPCP is responsible for the intrusion, ShinyHunters for the publication. TechCrunch reports that a ShinyHunters member confirmed to them in chat that they had stolen data TeamPCP had "previously taken in earlier attacks". This division of labour (one group for initial access and exfiltration, another for extortion and publication) is a marker of professionalisation of the criminal ecosystem.
The TeamPCP campaign, as documented by CERT-EU, Wiz, Palo Alto Networks Unit 42, Endor Labs and Snyk, hit five ecosystems in three weeks (GitHub Actions, Docker Hub, npm, Open VSX, PyPI) and targets ranging from LiteLLM to Checkmarx KICS, from Telnyx to the European Commission itself. Mandiant estimates that more than 1,000 SaaS environments are actively impacted by the cascading effects. Google Cloud assesses that "hundreds of thousands of stolen secrets could potentially be in circulation".
The pattern is always the same: compromise an open source security or infrastructure tool, harvest the credentials that give access to the next target, pivot, exfiltrate, move on to the next link. Unverified transitive trust, turned into an offensive weapon.
The structural irony
And this is where the affair stops being a technical incident and becomes a textbook case in governance.
The European Commission is the institution that drafted NIS 2, the directive that requires critical entities to detect incidents within 24 hours and to notify them promptly. The Commission took five days to detect the intrusion into its own cloud environment.
The European Commission is the institution behind the Cyber Resilience Act, the cybersolidarity regulation, and the overhaul of the cybersecurity regulation. In January 2026, ten days before the year's first breach (the hack of its MDM), it presented a new legislative package meant to strengthen the Union's collective defences.
The European Commission is the institution that promotes European digital sovereignty. Its web infrastructure is hosted at Amazon Web Services. And the breach did not come from AWS (Amazon confirmed that no security incident had affected its services). It came from a configuration and access management error in the Commission's cloud environment. The classic breach. The one NIS 2 is supposed to prevent.
This is not irony. It is a stress test under real conditions. And the Commission failed it.
What this affair reveals about the human factor in cyber governance
It would be easy to mock. That is in fact what many commentators are doing this week. But mockery misses the real point.
What this affair shows is that regulatory sophistication does not make up for operational failures. You can draft the most advanced directives in the world. If your Security Operations Centre does not detect an abnormal API call for five days, if your cloud access keys are not isolated and rotated, if your software chain of trust is not audited, the directives are paper.
And it is exactly the same problem I pointed to in my analysis of the ReCyF: an approach to security that formalises objectives, documents processes, structures governance, but assumes that execution will follow mechanically. It does not follow. Because execution depends on human decisions: who watches the alerts, who checks the configurations, who audits the chains of trust, who decides to act on a weak signal or ignore it.
The Commission was not hacked because it lacked directives. It was hacked because someone, somewhere in the operational chain, trusted without verifying. It is an inherited trust bias, the same mental shortcut I observe in organisations that think a popular tool is necessarily safe.
Europe's most powerful regulator has just proven, unintentionally, the thesis I have been defending for years: the texts protect no one. It is human decisions, made under cognitive pressure, in complex environments, that determine whether an organisation is truly secure or merely compliant on paper.
And if the European Commission can be hacked, with its dedicated teams, its CERT-EU, its budgets, its directives and its regulatory arsenal, then ask yourself honestly: what makes you believe your organisation is safe?
This is not a rhetorical question. It is the only question that matters. Because if the institution that sets the cybersecurity standards for an entire continent gets compromised by a cloud configuration error and an unverified open source tool, then no company size, no budget, no compliance label constitutes a guarantee. The threat does not discriminate between a logistics SME and the European executive. It looks for the weakest link in the chain of trust. And it finds it.
That is precisely why cybersecurity cannot remain a matter for specialists or regulators. It is a matter for leaders. It is a matter of organisational culture. It is a matter of daily decisions made by humans who often have neither the training, nor the tools, nor the time to verify every link in the chain. And that is why the answer will never come from one more directive. It will come from the moment each organisation accepts that it is a target, whatever its size, and acts accordingly.
Again and always, the human factor.
Christophe Mazzola, christophemazzola.fr Author of « Être en cybersécurité ». Politely paranoid, always.
Sources
- CERT-EU, 3 April 2026, analysis report on the compromise of the European Commission's cloud infrastructure
- TechCrunch, 3 April 2026, « Europe's cyber agency blames hacking gangs for massive data breach and leak »c
- BleepingComputer, 3 April 2026, « CERT-EU: European Commission hack exposes data of 30 EU entities »
- BleepingComputer, 30 March 2026, « European Commission confirms data breach after Europa.eu hack »
- Help Net Security, 3 April 2026, « Trivy supply chain attack enabled European Commission cloud breach »
- The Record, 3 April 2026, « EU cyber agency attributes major data breach to TeamPCP hacking group »
- The Next Web, 4 April 2026, « European Commission breached after hackers poisoned open-source security tool Trivy »
- SecurityWeek, 28 March 2026, « European Commission Reports Cyber Intrusion and Data Theft »
- Cybernews, 31 March 2026, « It looks bad: inside ShinyHunters' European Commission data breach »
Questions fréquentes
How did the attackers get into the Commission's infrastructure?
On 19 March 2026, the Commission downloaded a compromised version of Trivy, hijacked by the TeamPCP group. This tool allowed them to harvest an AWS API key from the Europa.eu infrastructure, then pivot and exfiltrate data on a massive scale.
What is the most critical piece of data that was stolen?
Beyond the personal data and 51,992 email files, it was the Commission's DKIM keys that were exfiltrated. They allow emails to be forged that pass the authentication checks of official domains, opening the way to industrial-scale spear-phishing.
Who is responsible for the attack?
According to CERT-EU's attribution, TeamPCP is responsible for the intrusion and exfiltration, while ShinyHunters, which operates BreachForums, published the stolen data on 28 March 2026. This division of labour marks a professionalisation of the criminal ecosystem.
Is AWS at fault in this compromise?
No. Amazon confirmed that no security incident had affected its services. The breach stems from a configuration and access management error in the Commission's cloud environment, along with an unaudited software chain of trust.
Why is this affair described as a structural irony?
The Commission is the institution that mandates, through NIS 2, rapid incident detection, yet it took five days to detect the intrusion into its own cloud. The affair shows that regulatory sophistication does not make up for operational failures.
Sources & méthodologie
- CERT-EU, analysis report on the compromise of the European Commission's cloud infrastructure, 3 April 2026:
- TechCrunch, « Europe's cyber agency blames hacking gangs for massive data breach and leak », 3 April 2026
- BleepingComputer, « CERT-EU: European Commission hack exposes data of 30 EU entities », 3 April 2026
- Help Net Security, « Trivy supply chain attack enabled European Commission cloud breach », 3 April 2026
- The Record, « EU cyber agency attributes major data breach to TeamPCP hacking group », 3 April 2026
- SecurityWeek, « European Commission Reports Cyber Intrusion and Data Theft », 28 March 2026

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
