When it comes to version tags, pinned commits are preferred.
This practice has found some traction in strengthening the security of GitHub Actions after various attacks that allowed secrets to be stolen from the memory of runners. It has not, however, become widespread in CI/CD pipelines, which for many still rely on tags. Among them, there may be one linked to Europa.eu.
On March 27, the European Commission issued a communication about this platform that hosts the EU institutions’ websites. It explained that it had discovered, three days earlier, traces of an attack accompanied by data theft. The following day, the ShinyHunters group published on the dark web what it claimed to be the data in question.
The Trivy vulnerability scanner, likely the initial access vector
The CERT-EU has just provided additional details. Including what it regards as “with high confidence” to be the initial access vector: Trivy.
This open-source vulnerability scanner owes its existence to the American company Aqua Security. In late February, a misconfiguration in its GitHub Actions environment allowed third parties to extract a token and establish persistence in the release process.
On March 1, Aqua Security, having discovered the incident, rotated its secrets. Yet, the unauthorized access persisted.
On March 19, the attacker performed a force-push on 76 of the 77 version tags of the trivy-action repository and on the 7 tags of the setup-trivy repository, causing redirects to malicious commits. Simultaneously, a compromised service account* (aqua-bot) triggered the release of a malicious Trivy version (0.69.4).
It took Aqua Security about three hours to contain the attack and remove the malicious components.
An infostealer injected via poisoned version tags
Rather than pushing directly a tainted version of Trivy, the attackers chose to “poison” the version tags. CI/CD pipelines that relied on them continued to operate as if nothing was amiss.
For each tag, the same sequence:
- Pinned to the HEAD of the main branch
- Injection of the infostealer into entrypoint.sh
- Search for the original commit and clone its metadata
- Recreate the linkage with the main branch head
- Force-push the tag to the new commit
Result: an identical file tree across all malicious commits and fake metadata that varied only by tag, potentially letting them slip past Git logs undetected. A few telltales nonetheless emerged. For example, the absence of a signature on the new commits, whereas the old ones were signed with GPG when merged via GitHub’s web UI. Or simply that each of these new commits changed only entrypoint.sh, while the originals touched several files.
TeamPCP, a group tuned to misconfiguration errors
The payload was designed to harvest sensitive information, starting with secrets. It ran before the Trivy scan, which thus seemed more likely to complete unhindered. Data exfiltration primarily occurred via POST to a typosquatted Aqua Security domain, or, alternatively, by creating a public repository in the victims’ GitHub accounts.
In a comment line, the malware identifies itself as “TeamPCP Cloud stealer.”
Tracked for a short while now, TeamPCP has gained notoriety for exploiting misconfigurations, including in Docker APIs, Kubernetes clusters, and Redis servers. Wiz, who provided an analysis of it, does not attribute a nationality to the group. Beyond the name that appears in the malware’s code, there are technical similarities to its prior tools.
Five days to detect the incident
One of the API keys obtained via Trivy on March 19 provided access to “AWS accounts affiliated with the European Commission,” according to CERT-EU.
Having tested it with TruffleHog, the attacker used it to create a new key and attach it to an existing user.
The European Commission’s SOC raised the alarm on March 24. The next day, it reported the incident to CERT-EU. This, in turn, reinforces the Trivy-vector lead, given that the timing of the attacks coincides… and that Brussels was using a compromised version of the vulnerability scanner during the period in question.
The current tally indicates the theft of data from at least 71 Europa.eu clients: 42 internal to the European Commission and 29 from other EU entities. Some of this data is personal in nature—names, surnames, and email addresses in particular. There is also a little over 2 GB (52,000 files) of outgoing emails. Most are automated notifications with little to no content, CERT-EU notes. However, there are bounce-back messages whose body may contain the sender’s message…
Worry over instant messaging
For now, there is no evidence of lateral movement to other AWS accounts of the European Commission, according to CERT-EU.
This episode adds to a string of attacks against EU institutions and member states. Earlier this year, the European Commission had seen its mobile device management infrastructure compromised, apparently via a vulnerability in Ivanti EPMM.
More recently, CERT-FR and several European counterparts issued alerts about targeting instant messaging services, especially in sovereign sectors. In response, the European Commission shut down a Signal group used by directors of departments—an operation undertaken out of concern for potential hacking and only recently brought to its attention.
In March, the EU added to its sanctions list three companies involved in cyberattacks. Two Chinese firms, which contributed to the hacking of critical infrastructure and tens of thousands of endpoints (65,000 in 6 member states). One Iranian company, which has been attributed with the Charlie Hebdo breach in 2023 (postal and electronic subscriber addresses sold on the dark web) and the hijacking of advertising billboards during the Paris 2024 Games to spread disinformation.
* Also used to retrieve additional credentials on Aqua Security’s GitHub, including GPG keys and authentication tokens for Docker Hub, Slack, and X (formerly Twitter), exfiltrated via a Cloudflare tunnel.
