A brand new malware framework known as PCPJack is stealing credentials from uncovered cloud infrastructure whereas actively eradicating TeamPCP’s entry to the programs.
Among the many focused providers are Docker, Kubernetes, Redis, MongoDB, RayML, and susceptible net functions. In lots of circumstances, the menace actor strikes laterally on the community.
SentinelLabs researchers say that PCPJack seems designed for large-scale credential theft, and certain monetizes its exercise through monetary fraud, spam operations, credential resale, or extortion.
TeamPCP is a cloud-focused menace group recognized for high-profile supply-chain breaches towards Aqua Safety’s Trivy scanner, the LiteLMM and Telnyx PyPI packages, and extra not too long ago, SAP npm packages.
Due to the similarities with TeamPCP assaults, SentinelLabs believes that PCPJack might have been developed by a former TeamPCP affiliate or member that began their very own operation.
“Most of the providers focused by the PCPJack framework are just like the early TeamPCP/PCPCat campaigns from December 2025, earlier than the high-visibility campaigns of early 2026 introduced important consideration to TeamPCP and purportedly led to modifications in group membership,” clarify the researchers.
“We consider this might be a former operator who’s deeply accustomed to the group’s tooling.”
In a report at the moment, SentinelLabs says that PCPJack infects Linux-based cloud programs utilizing a shell script known as bootstrap.sh.
Upon execution, it creates a hidden working listing, installs Python dependencies, downloads extra modules, establishes persistence, and launches the principle orchestrator (monitor.py).
Throughout this preliminary stage, PCPJack explicitly checks for TeamPCP tooling and makes an attempt to delete every thing, thus claiming the compromise for themselves.
The researchers say that the cleansing exercise contains eradicating TeamPCP processes, providers, containers, information, and persistence artifacts, utterly eliminating the infections.
Supply: SentinelLabs
PCPJack’s capabilities revolve primarily round credential theft, focusing on cloud environments, developer programs, messenger apps, monetary providers, databases, SSH keys, Slack tokens, WordPress configs, OpenAI keys, Anthropic keys, Discord, DigitalOcean, and extra.
The credentials are exfiltrated to Telegram channels after they’re encrypted utilizing X25519 ECDH and ChaCha20-Poly1305, and break up into 2800-byte chunks respecting Telegram’s message character limits.
Supply: SentinelLabs
PCPJack propagates by scanning exterior cloud infrastructure for uncovered providers similar to Docker, Kubernetes, Redis, MongoDB, and RayML, then makes an attempt exploiting recognized vulnerabilities to realize entry.
It additionally downloads hostname information from Frequent Crawl parquet information and makes use of them as new targets for the scanning processscanning targets.
SentinelLabs researchers be aware that PCPJack is exploiting the next vulnerabilities:
- CVE-2025-29927: auth bypass in Subsequent.js middleware through crafted header
- CVE-2025-55182 (“React2Shell”): Server Actions deserialization flaw in React and Subsequent.js
- CVE-2026-1357: unauthenticated file add in WPVivid Backup
- CVE-2025-9501: PHP injection in W3 Complete Cache through cached mfunc remark
- CVE-2025-48703: shell injection in CentOS Internet Panel Filemanager changePerm performance
Inside compromised environments, the malware performs lateral motion by harvesting SSH keys and credentials, enumerating Kubernetes clusters and Docker daemons, and executing itself on reachable inner hosts.
As soon as entry is obtained, it establishes persistence utilizing systemd providers, cron jobs, Redis cron rewrites, or privileged containers earlier than persevering with propagation.
SentinelLabs additionally discovered a Sliver-based backdoor on the menace actor’s infrastructure, with variants to help x86_64, x86, and ARM system architectures.
To mitigate this threat, the researchers suggest implementing multi-factor authentication (MFA), utilizing IMDSv2 in AWS, making certain correct authentication for Docker and Kubernetes providers, following least-privilege rules, and avoiding storing secrets and techniques in plaintext.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
