Trivy, Aqua Security’s open-source container and dependency scanner, served as the supply-chain entry point for the TeamPCP campaign — a compromised Trivy installation or dependency provided the initial vector for credential theft leading to the European Commission AWS breach. No CVE has been assigned; the risk is integrity-based rather than a software vulnerability. Organizations should verify all Trivy installations against official release hashes from the Aqua Security GitHub repository and enforce hash-pinned dependency references in all CI/CD pipelines consuming Trivy.