Can ArtucThe European Commission ran Trivy, a security scanner, inside its automated build pipeline on AWS. A criminal group called TeamPCP poisoned Trivy itself.
The scanner had elevated permissions. Attackers used that access to steal 340 GB. ShinyHunters, a data extortion gang, published the dataset. 71 hosted clients affected.
Same attack hit Sportradar (23,169 athlete records, 328 API credential pairs offered for up to $50K) and 1,000+ other organizations.
