EU Cyber Agency Attributes Major Data Breach to TeamPCP Hacking Group

The European Union Agency for Cybersecurity (ENISA) has officially attributed the recent data breach at the European Commission — and a broader campaign targeting EU institutions — to the TeamPCP hacking group. The attribution follows weeks of investigation into one of the most significant cyberattacks against EU institutions in recent memory.

ENISA's Attribution

ENISA's investigators determined that TeamPCP orchestrated a multi-stage campaign that leveraged compromised open-source software packages to gain initial access to EU cloud infrastructure. The group is believed to have:

Backdoored the Telnyx Python library on PyPI — distributing a malicious version that hid an info-stealer inside a WAV audio file to evade detection
Hijacked Trivy GitHub release tags — poisoning the popular container security scanner to steal CI/CD credentials from victims running the tool in automated pipelines
Used harvested AWS credentials to access the European Commission's cloud environment, exfiltrating over 300GB of data including personal information

ENISA confirmed that the European Commission was one of at least 30 EU entities impacted by the same campaign.

Who Is TeamPCP?

TeamPCP is a financially motivated threat group that has escalated significantly in 2026. The group is best known for:

The Telnyx PyPI backdoor — a sophisticated supply chain attack that hid malicious code inside audio files to bypass static analysis tools
Targeting CI/CD pipelines by compromising tools that run automatically with elevated permissions in developer environments
Operating with internal infighting that has led to partial disclosures and leaks about the group's operations and infrastructure

Despite the internal friction reported among its members, TeamPCP has demonstrated increasing technical sophistication, particularly in its ability to compromise trusted open-source tooling and infrastructure components.

Scope of the EU Campaign

The breadth of the campaign is striking. ENISA's investigation identified impact across:

The European Commission — the primary confirmed breach with 300GB of AWS data stolen
Multiple EU agencies and bodies — at least 29 additional organizations affected to varying degrees
Member state institutions — several national government entities that shared CI/CD tooling or infrastructure dependencies with affected EU bodies

The common thread across all victims was reliance on either the compromised Telnyx PyPI package or Trivy in automated workflows, demonstrating how a single supply chain compromise can propagate broadly across interconnected institutional environments.

TeamPCP's Escalating Profile

The attribution marks a significant escalation for TeamPCP, which had previously focused on smaller corporate targets. Breaching the European Commission places the group in the same tier of threat actors capable of targeting major governmental institutions.

Security researchers note that the group's willingness to target EU institutions — which have significant diplomatic and geopolitical sensitivity — suggests either state sponsorship or tolerance from a nation-state that benefits from intelligence on EU operations, or a financially motivated actor that has identified EU institutions as high-value targets for extortion.

EU Response and Lessons

ENISA and affected institutions are working on:

Full scope determination — identifying all data accessed across the 30+ affected entities
Credential remediation — rotating all potentially compromised keys and access tokens
Guidance for EU institutions — ENISA is preparing updated guidance on supply chain risk management for tools used in automated pipelines

The incident reinforces that open-source security tooling is a high-value target — attackers understand that if they can compromise what defenders trust, they gain access to environments that are otherwise well-protected.

Organizations using open-source tools in CI/CD pipelines should:

Pin versions with cryptographic hash verification rather than pulling release tags by name
Audit all open-source tools used in automated workflows for unexpected dependencies or behavioral changes
Apply least-privilege principles — pipeline tools should not have access beyond their specific functional requirements
Monitor for anomalous outbound data transfers from CI/CD systems

Source: The Record

ENISA's Attribution

Backdoored the Telnyx Python library on PyPI — distributing a malicious version that hid an info-stealer inside a WAV audio file to evade detection
Hijacked Trivy GitHub release tags — poisoning the popular container security scanner to steal CI/CD credentials from victims running the tool in automated pipelines
Used harvested AWS credentials to access the European Commission's cloud environment, exfiltrating over 300GB of data including personal information

ENISA confirmed that the European Commission was one of at least 30 EU entities impacted by the same campaign.

Who Is TeamPCP?

TeamPCP is a financially motivated threat group that has escalated significantly in 2026. The group is best known for:

The Telnyx PyPI backdoor — a sophisticated supply chain attack that hid malicious code inside audio files to bypass static analysis tools
Targeting CI/CD pipelines by compromising tools that run automatically with elevated permissions in developer environments
Operating with internal infighting that has led to partial disclosures and leaks about the group's operations and infrastructure

Scope of the EU Campaign

The breadth of the campaign is striking. ENISA's investigation identified impact across:

The European Commission — the primary confirmed breach with 300GB of AWS data stolen
Multiple EU agencies and bodies — at least 29 additional organizations affected to varying degrees
Member state institutions — several national government entities that shared CI/CD tooling or infrastructure dependencies with affected EU bodies

TeamPCP's Escalating Profile

EU Response and Lessons

ENISA and affected institutions are working on:

Full scope determination — identifying all data accessed across the 30+ affected entities
Credential remediation — rotating all potentially compromised keys and access tokens
Guidance for EU institutions — ENISA is preparing updated guidance on supply chain risk management for tools used in automated pipelines

Organizations using open-source tools in CI/CD pipelines should:

Pin versions with cryptographic hash verification rather than pulling release tags by name
Audit all open-source tools used in automated workflows for unexpected dependencies or behavioral changes
Apply least-privilege principles — pipeline tools should not have access beyond their specific functional requirements
Monitor for anomalous outbound data transfers from CI/CD systems

Source: The Record

EU Cyber Agency Attributes Major Data Breach to TeamPCP Hacking Group

ENISA's Attribution

Who Is TeamPCP?

Scope of the EU Campaign

TeamPCP's Escalating Profile

EU Response and Lessons

European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack

Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

CERT-EU: European Commission Hack Exposes Data of 30 EU Entities

EU Cyber Agency Attributes Major Data Breach to TeamPCP Hacking Group

ENISA's Attribution

Who Is TeamPCP?

Scope of the EU Campaign

TeamPCP's Escalating Profile

EU Response and Lessons

European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack

Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

CERT-EU: European Commission Hack Exposes Data of 30 EU Entities