A supply-chain compromise of Trivy, the open-source container scanning tool maintained by Aqua Security, was used to harvest AWS API keys embedded in CI/CD pipeline configurations, enabling direct authenticated access to AWS-hosted European Commission infrastructure and exfiltration of approximately 92 GB of sensitive data affecting 42 internal clients and 29 EU entities. No CVE has been assigned; the root risk is architectural — static cloud credentials exposed within scanner execution environments rather than a patchable vulnerability in Trivy itself. Organizations running Trivy or comparable scanning tools with cloud credential access should immediately audit and rotate exposed AWS IAM keys, replace static credentials with short-lived IAM role or OIDC-based federation, and conduct a secrets scanning sweep across all repositories and pipeline definitions.