isc.sans.edu 4/3/2026, 2:11:33 PM · via preferred

TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments, (Fri, Apr 3rd)

TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments, (Fri, Apr 3rd)
CyberSIXT Evidence Panel
Primary Source cert.europa.eu
CISA KEV Listed in KEV
Patch Patch Available
Threat Actor

ACCORDING to CERT-EU, the European Commission’s Europa web hosting platform on AWS was breached via the Trivy supply chain compromise (CVE-2026-33634), with initial access on 19 March, detection on 24 March, and notification to CERT-EU on 25 March. The breach exposed 340 GB uncompressed (91.7 GB compressed) of data and around 52,000 email-related files, affecting 71 clients including 42 internal European Commission departments and 29 other EU entities.

ShinyHunters published the stolen data on 28 March, and CERT-EU confirmed no lateral movement to other Commission AWS accounts. Sportradar AG’s breach was confirmed as a systemic compromise jointly operated by TeamPCP and Vect, with entry via the Trivy CVE, exposing approximately 26,000 users’ personal data, 23,169 athlete records, and a client table listing 161 organisations such as ESPN, Nike, NBA Asia and IMG Arena.

The incident also revealed credentials exposure, including 8 production RDS passwords and 328 API key/secret pairs. Mandiant estimated the campaign affected over 1,000 SaaS environments and perhaps 500,000 machines across all victims.

View Primary Source Via isc.sans.edu

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline