A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP’s access to the systems.
Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In many cases, the threat actor moves laterally on the network.
SentinelLabs researchers say that PCPJack appears designed for large-scale credential theft, and likely monetizes its activity via financial fraud, spam operations, credential resale, or extortion.
TeamPCP is a cloud-focused threat group known for high-profile supply-chain breaches against Aqua Security’s Trivy scanner, the LiteLMM and Telnyx PyPI packages, and more recently, SAP npm packages.
Because of the similarities with TeamPCP attacks, SentinelLabs believes that PCPJack may have been developed by a former TeamPCP affiliate or member that started their own operation.
“Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025, before the high-visibility campaigns of early 2026 brought significant attention to TeamPCP and purportedly led to changes in group membership,” explain the researchers.
“We believe this could be a former operator who is deeply familiar with the group’s tooling.”
In a report today, SentinelLabs says that PCPJack infects Linux-based cloud systems using a shell script called bootstrap.sh.
Upon execution, it creates a hidden working directory, installs Python dependencies, downloads additional modules, establishes persistence, and launches the main orchestrator (monitor.py).
During this initial stage, PCPJack explicitly checks for TeamPCP tooling and attempts to delete everything, thus claiming the compromise for themselves.
The researchers say that the cleaning activity includes removing TeamPCP processes, services, containers, files, and persistence artifacts, completely eliminating the infections.
Source: SentinelLabs
PCPJack’s capabilities revolve mainly around credential theft, targeting cloud environments, developer systems, messenger apps, financial services, databases, SSH keys, Slack tokens, WordPress configs, OpenAI keys, Anthropic keys, Discord, DigitalOcean, and more.
The credentials are exfiltrated to Telegram channels after they are encrypted using X25519 ECDH and ChaCha20-Poly1305, and split into 2800-byte chunks respecting Telegram’s message character limits.
Source: SentinelLabs
PCPJack propagates by scanning external cloud infrastructure for exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, then attempts exploiting known vulnerabilities to gain access.
It also downloads hostname data from Common Crawl parquet files and uses them as new targets for the scanning processscanning targets.
SentinelLabs researchers note that PCPJack is exploiting the following vulnerabilities:
- CVE-2025-29927: auth bypass in Next.js middleware via crafted header
- CVE-2025-55182 (“React2Shell”): Server Actions deserialization flaw in React and Next.js
- CVE-2026-1357: unauthenticated file upload in WPVivid Backup
- CVE-2025-9501: PHP injection in W3 Total Cache via cached mfunc comment
- CVE-2025-48703: shell injection in CentOS Web Panel Filemanager changePerm functionality
Inside compromised environments, the malware performs lateral movement by harvesting SSH keys and credentials, enumerating Kubernetes clusters and Docker daemons, and executing itself on reachable internal hosts.
Once access is obtained, it establishes persistence using systemd services, cron jobs, Redis cron rewrites, or privileged containers before continuing propagation.
SentinelLabs also found a Sliver-based backdoor on the threat actor’s infrastructure, with variants to support x86_64, x86, and ARM system architectures.
To mitigate this risk, the researchers recommend enforcing multi-factor authentication (MFA), using IMDSv2 in AWS, ensuring proper authentication for Docker and Kubernetes services, following least-privilege principles, and avoiding storing secrets in plaintext.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
