Sometime on March 19, 2026, a poisoned version of the open-source security scanner Trivy slipped into automated build pipelines at the European Commission and began quietly stealing AWS credentials. The tool that thousands of development teams rely on to catch vulnerabilities before code ships to production had itself become the vulnerability. Within hours, an attacker used a stolen API key to create new credentials inside the Commission’s cloud environment and started probing for broader access.
The breach, now tracked as CVE-2026-33634, marks one of the most consequential software supply-chain attacks of 2026 so far. It turned a defensive security tool into a delivery mechanism for credential theft, and any organization that ran the affected versions during the compromise window may have unknowingly handed its cloud keys to an attacker.
Inside the European Commission breach
The most detailed confirmed account comes from CERT-EU, the computer emergency response team for EU institutions. According to its incident report, the attacker embedded malicious code in a Trivy artifact distributed through the project’s software supply chain. When the European Commission’s CI/CD pipelines pulled that artifact during routine security scanning, the compromised code harvested an AWS API key from the build environment.
What happened next followed a textbook playbook for cloud intrusions. The attacker used the stolen key to create a new access key, attached it to an existing IAM user, and began reconnaissance: listing IAM roles, enumerating S3 buckets, and describing EC2 instances. Each step expanded the attacker’s map of the Commission’s cloud infrastructure while staying within the noise of normal API activity.
Trivy is not a fringe tool. Maintained by Aqua Security, it has been downloaded millions of times and is embedded in CI/CD workflows across enterprises, government agencies, and open-source projects. Because security scanners typically receive broad read access to container images, infrastructure-as-code templates, and sometimes cloud APIs, a compromised scanner sits in an extraordinarily privileged position to exfiltrate secrets without triggering alarms.
Which versions are affected
The National Vulnerability Database entry for CVE-2026-33634 identifies the following compromised components:
- Trivy version 0.69.4
- trivy-action (GitHub Action) versions 0.0.1 through 0.34.2
- setup-trivy versions 0.2.0 through 0.2.6
The NVD lists Trivy 0.69.2, Trivy 0.69.3, and trivy-action 0.35.0 as safe releases. One inconsistency worth noting: setup-trivy version 0.2.6 appears in both the affected and safe lists. Whether that version received a post-compromise patch that restored it to a clean state, or whether the overlap reflects a tagging error, is not clarified in the NVD record. Teams running setup-trivy 0.2.6 should verify the exact build hash against the maintainer’s signed release before trusting it.
Any CI/CD workflow that pinned to the affected version ranges during the compromise window may have exposed secrets stored in its build environment: AWS credentials, deployment tokens, container registry passwords, and code-signing keys.
What the headline claims vs. what the evidence supports
This story’s headline names three projects (Trivy, Checkmarx, and LiteLLM) and attributes the attack to a group called TeamPCP. Readers deserve transparency about where the evidence is strong and where it thins out.
Confirmed by primary sources: The Trivy supply-chain compromise and its impact on the European Commission are documented by CERT-EU and the NVD. These are institutional disclosures based on direct incident response and vulnerability cataloging. The specific attacker actions inside AWS (key creation, IAM user attachment, reconnaissance) are described in CERT-EU’s report.
Not yet confirmed by primary sources: No official statement from Checkmarx or LiteLLM maintainers, and no independent forensic disclosure, corroborates that their CI/CD pipelines were compromised in the same campaign. Secondary reporting has linked both projects to the incident, but until those organizations publish their own advisories or appear in an authoritative bulletin, their involvement should be treated as unverified.
Attribution to TeamPCP also lacks primary forensic backing. CERT-EU describes attacker behavior but does not name a threat actor. No government advisory or law enforcement bulletin in the available evidence ties the campaign to TeamPCP with technical indicators such as command-and-control infrastructure or malware signatures. The name has circulated in secondary accounts, but attribution without shared indicators of compromise remains speculative.
This distinction matters. Organizations should base operational decisions (rotating credentials, auditing pipelines) on the confirmed Trivy compromise while monitoring for official updates that may broaden or narrow the scope.
How the attack exploited trust in security tooling
Supply-chain attacks succeed by hijacking trust relationships that organizations have already vetted. In this case, the trust relationship was unusually sensitive. Trivy runs inside CI/CD pipelines specifically to enforce security policy. It scans container images for known vulnerabilities, checks infrastructure-as-code files for misconfigurations, and sometimes queries cloud APIs to validate live environments. To do that work, it needs access to secrets that most other pipeline steps never touch.
That privileged position made Trivy an ideal target. A compromised build artifact did not need to break through firewalls or trick a human into clicking a link. It simply ran where it was expected to run, with the permissions it was expected to have, and siphoned credentials as a side effect of what looked like a normal scan.
NIST, the federal agency that maintains the NVD, catalogs and scores vulnerabilities but does not conduct attribution investigations. Its role here is to tell organizations what software is affected and what versions to move to. Separately, NIST’s National Checklist Program provides standardized security baselines for platforms and applications. While no dedicated profile for Trivy exists yet, the program’s principles apply directly: least-privilege access to secrets, strict network egress controls, and auditable configuration changes for every tool in the pipeline.
What affected teams should do now
Rotate every exposed secret. If your pipelines ran any of the affected Trivy artifact versions between the compromise date and the availability of patched releases, assume that every secret accessible to the build environment has been stolen. That includes AWS access keys, service account tokens, database passwords, container registry credentials, and code-signing keys. Rotate them all, and extend rotation to downstream systems that share those credentials.
Audit CloudTrail logs. Search for unfamiliar key-creation events, new IAM user attachments, or reconnaissance API calls that mirror the pattern CERT-EU described. Pay close attention to CreateAccessKey, ListUsers, ListRoles, ListBuckets, and DescribeInstances calls, especially from IP ranges or AWS regions that do not match your normal automation. Where logs reveal suspicious activity, isolate affected accounts, capture forensic snapshots, and document timelines before remediation.
Harden CI/CD configurations. Run Trivy and similar scanners with narrowly scoped IAM roles that grant read access only to the specific resources they must scan. Replace long-lived static access keys with short-lived credentials from identity providers or AWS roles that expire automatically. Restrict outbound network access from build agents so that even a compromised tool cannot easily exfiltrate data to arbitrary endpoints.
Pin and verify third-party tooling. Stop trusting a moving “latest” tag for any dependency in your pipeline. Pin to specific versions and verify signatures or checksums against the upstream maintainer’s signed releases. Subscribe to vulnerability feeds that cover your CI/CD dependencies, and rehearse the process of rapidly disabling or replacing a compromised tool.
Security scanners as attack surfaces
The Trivy incident forces an uncomfortable reckoning for development teams that have spent years integrating security scanning into every stage of their pipelines. The tools designed to keep production safe occupy the same privileged position that makes them devastating when compromised. They touch secrets, they run automatically, and they are rarely subjected to the same zero-trust scrutiny applied to application code.
That needs to change. Treating security scanners as trusted by default is itself a security gap. The same principles that govern access to production databases and deployment keys should govern access granted to scanning tools: least privilege, short-lived credentials, network segmentation, and continuous verification. When the next supply-chain compromise hits a tool that organizations trust implicitly, the teams that survive cleanly will be the ones that never trusted it implicitly in the first place.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
