my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

TeamPCP Hacked the European Commission Through a Security Scanner

John Z Black Apr 4, 2026 Incidents & Breaches #teampcp #european-commission #supply-chain #shinyhunters #cert-eu

TeamPCP hit the European Commission. CERT-EU attributed the breach “with high confidence,” confirming the group got in through a compromised version of Trivy, the popular open-source security scanner.

A security tool was the attack vector. The irony writes itself.

An AWS API key with management-level rights was compromised. Data from at least 30 EU entities got exposed. Then ShinyHunters published it all on their dark web site March 28.

We’ve been tracking TeamPCP’s escalation for weeks. March 30: ransomware via AI libraries. April 2: the Mercor supply chain breach. Now the European Commission. Each operation is bigger, bolder, and hits a higher-profile target.

Their playbook is consistent. Find a trusted open-source tool, poison it, let the supply chain do the work. Trivy, KICS, LiteLLM, Telnyx. Each compromised tool opens a different door to a different set of targets. No zero-days needed when you can compromise the tools people already trust.

The attribution picture is messy. TeamPCP did the breaking in. ShinyHunters did the leaking. Lapsus$ is also claiming credit. The relationship between these groups is unclear. Nobody’s publishing org charts.

What makes TeamPCP different is their infrastructure. They use blockchain-based Internet Computer Protocol canisters for command and control. You can’t just seize a server when it’s distributed across a decentralized network. That makes takedowns extremely difficult.

The European Commission is reportedly downplaying the impact. When data from 30 separate EU entities gets exposed through your infrastructure, “downplaying” is a strategy, not a conclusion.

If your CI/CD pipeline uses Trivy, KICS, LiteLLM, or Telnyx, audit your installations now. Check package integrity. Verify versions against known-good hashes. Look for unexpected outbound connections from build environments.

TeamPCP has moved from the periphery to center stage. Your security is only as good as every open-source dependency in your stack. That’s a hard problem. Ignoring it is worse.

How a security scanner became the weapon that breached the EU