TeamPCP’s Trivy Supply Chain Hack Just Breached the European Commission – Your Dev Tools Are a Ticking Bomb
Hackers from the cybercrime group TeamPCP pulled off a nasty supply chain attack on Aqua Security’s Trivy vulnerability scanner, injecting credential-stealing malware into official GitHub releases.[1] This weekend, the same crew escalated with a wiper attack targeting Iranian Kubernetes clusters, and now it’s confirmed: they snagged over 300GB of data from the European Commission’s AWS environment, including personal info.[1][2]
The Grimy Technical Details
TeamPCP kicked this off back in December 2025 with a self-propagating worm hitting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vuln (CVE-2025-55182).[1] On March 19, they compromised Trivy’s GitHub Actions, pushing malicious versions that slurped SSH keys, cloud creds, K8s tokens, and crypto wallets.[1] Wiz confirmed the damage, and Aqua yanked the bad files – too late for the EU folks.[1][2] Over the weekend, Charlie Eriksen at Aikido spotted their infra deploying a geo-targeted wiper: if your timezone screams “Iran” and you’ve got K8s access, poof – every node’s data gets nuked.[1]
So What? Why Devs and Sec Teams Should Lose Sleep
If Trivy – a tool you probably run in your CI/CD pipelines to scan for vulns – can get pwned like this, your entire supply chain is exposed. Devs: audit those GitHub workflows yesterday; one bad release and attackers have your keys to the kingdom. Sec teams: exposed APIs and misconfigs are TeamPCP’s playground – patch React2Shell, lock down Docker/K8s/Redis, and assume your scanners are compromised.[1]
My take: This is peak 2026 chaos – supply chain attacks aren’t “if,” they’re “when.” Ditch blind trust in open-source tools; integrate sig checks, SBOMs, and runtime monitoring now, or watch your cloud bleed creds like the EU just did. Wake up, folks.[1][2]
