Cloud environments face a new automated threat. Security researchers uncovered PCPJack, a modular credential theft operation that spreads like a worm across exposed infrastructure while methodically erasing traces of its predecessor, TeamPCP.
The discovery came from analysts at SentinelOne. Their detailed examination reveals a framework built for scale. It harvests keys from cloud providers, containers, messaging platforms, financial services and developer tools. Then it pushes that data to attacker-controlled channels. No cryptomining appears in its arsenal. That marks a deliberate shift from many similar campaigns that rely on resource hijacking for steady revenue.
But PCPJack does more than steal. It cleans house. Upon infection the initial bootstrap script scans for TeamPCP artifacts, kills associated processes, deletes containers and removes persistence mechanisms. It even reports a “PCP replaced” metric back to its operators. “The script’s first actions are to evict and delete tools associated with the TeamPCP attack group, leading us to call the toolset PCPJack,” the SentinelOne team noted.
This rivalry hints at internal fractures. TeamPCP gained notoriety earlier in 2026 through supply chain attacks on PyPI packages, npm modules and security tools. Similarities in targeting suggest PCPJack may stem from a former affiliate who broke away. BleepingComputer reported that the new malware mirrors early TeamPCP campaigns from late 2025 before the group drew heavy scrutiny.
Infection starts simply enough. A shell script named bootstrap.sh drops onto Linux systems, often through exploited web applications or exposed services. It creates a hidden directory at /var/lib/.spm/. It checks the host’s public IP against a blocklist to avoid self-infection. Then it installs Python if needed, sets up a virtual environment with required packages and downloads six core modules from an Amazon S3 bucket.
Those modules arrive disguised. worm.py becomes monitor.py and acts as the main orchestrator. It pulls in parser.py as utils.py, lateral.py as _lat.py and others. Sensitive strings stay encrypted with XOR against a hash derived from urllib3.poolmanager. The setup looks almost benign. It registers as a system monitor service when run with root privileges or falls back to cron jobs that fire every five minutes.
Once running, monitor.py gets to work. It sweeps directories for configuration files, environment variables, SSH keys, bash history and git repositories. It queries AWS instance metadata, Kubernetes secrets and Docker runtime data. Utils.py then parses everything using regular expressions. The list of targets runs long. AWS access keys. Kubernetes tokens. Slack workspaces. GitHub tokens. OpenAI and Anthropic API keys. Discord tokens. DigitalOcean credentials. WordPress databases. And a wide array of cryptocurrency wallets and exchange accounts from Binance to Coinbase, Stripe to Solana.
Stolen data gets encrypted with care. The crypto_util module generates an X25519 key pair for each chunk, performs ECDH with a hardcoded attacker public key, applies ChaCha20-Poly1305 and splits output into 2800-byte pieces to fit Telegram limits. Each transmission starts with a lock emoji. Exfiltration heads to Telegram channels for both data upload and command retrieval. Operators can issue RUN to execute arbitrary scripts or PARQUET to refresh target lists.
Propagation sets PCPJack apart. The framework pulls parquet files from Common Crawl, a public web archive. It extracts hostnames from massive datasets, deduplicates entries up to 15 million per node and assigns scan windows based on a seed value. This approach avoids noisy random scanning. It focuses on pre-validated domains likely to host vulnerable services. “PCPJack’s most novel feature is the use of parquet files for finding new targets,” said Alex Delamotte, senior threat researcher at SentinelLabs, in the SentinelOne analysis. “Unlike aimless scanning, it filters for hosts with valid HTTP responses.”
From there the cloud_scan module, originally cloud_scan.py, probes for exposed Docker daemons on ports 2375 and 2376, Kubernetes APIs, Redis instances, MongoDB on 27017 and RayML dashboards on 8265. When it finds a target it hands off to lateral movement code.
Inside networks the worm moves aggressively. It enumerates Kubernetes namespaces and pods using service account tokens. It reads secrets even without full RBAC by mounting host filesystems in privileged containers. Docker sockets yield container lists and allow host escapes via bind mounts. Redis instances get fully dumped for keys and values. The malware can rewrite cron jobs to ensure persistence. SSH spraying uses harvested keys and known_hosts data to hop to new machines. MongoDB and RayML offer additional vectors for code execution.
External spread relies on five specific vulnerabilities. The Hacker News outlined the set in its initial coverage. CVE-2025-55182, known as React2Shell, allows server actions deserialization in React and Next.js versions before 19.0.1. CVE-2025-29927 bypasses authentication in Next.js middleware through a crafted header. WordPress plugins fall too. CVE-2026-1357 enables unauthenticated file uploads in WPVivid Backup. CVE-2025-9501 injects PHP through cached comments in W3 Total Cache. And CVE-2025-48703 permits shell injection in the CentOS Web Panel file manager.
These flaws carry high severity scores. Several exceed CVSS 9.0. Their public availability makes automated exploitation straightforward for any actor with basic scripting skills. PCPJack chains them efficiently. It scans subnets after initial foothold and repeats the process on newly compromised hosts.
A secondary toolset adds redundancy. It includes a credential extractor script and garble-obfuscated Sliver beacons compiled for x86_64, x86 and ARM. These connect to infrastructure on ports 443 and 8443. They expand the target list to include HashiCorp Vault, Grafana Cloud, OnePassword and additional API keys. The presence of two overlapping frameworks suggests the operators hedge against detection or test new techniques.
Researchers found operational slips. The bootstrap script contains an unencrypted Telegram bot token. Hardcoded encryption keys appear in the Python code. A German VPS IP shows up in blocklists and infrastructure, possibly tying the campaign to earlier activity. Such mistakes could accelerate attribution but have not slowed the operation so far.
Monetization looks straightforward. Harvested credentials feed fraud schemes, spam campaigns, account takeovers or direct resale. The absence of mining points to a preference for quick cash. Validated cloud keys and API tokens often sell fast on underground markets. Financial and crypto data offer even higher returns. “The absence of cryptomining suggests the actor prioritizes quick payoffs through stealing credentials and wallets over long-term resource exploitation,” the SentinelOne report explained.
Organizations running exposed services sit in the crosshairs. Cloud providers, managed Kubernetes clusters, self-hosted databases and legacy web applications all qualify. Many environments still run outdated WordPress plugins or unpatched Next.js instances. Default Docker configurations without proper network controls remain common.
Defenders can hunt for concrete indicators. Look for the /var/lib/.spm/ directory and files such as monitor.py, harvest.jsonl or sys-monitor.service. Cron entries launching Python from that path deserve scrutiny. Outbound connections to Telegram or the known S3 bucket should trigger alerts. Parquet file downloads from Common Crawl combined with unusual Python process behavior form a strong signal.
Prevention demands basics done well. Hide secrets in dedicated vaults. Enforce multifactor authentication everywhere possible. Segment container networks. Disable unnecessary exposed ports. Keep web applications patched. Monitor for anomalous Kubernetes API calls or Docker socket access. These steps blunt the attack before it gains momentum.
PCPJack underscores a maturing threat pattern. Cloud attackers increasingly treat credential theft as the primary objective rather than a stepping stone to ransomware or mining. They automate discovery with public datasets. They compete with rival groups by sanitizing environments. And they iterate quickly, maintaining multiple toolsets in parallel.
The campaign remains active. New reports continue to surface as researchers track its spread. Dark Reading noted that organizations ignoring cloud hygiene risk sudden loss of critical access tokens across their entire stack. The worm does not wait. It scans, exploits, harvests and moves on.
Security teams should treat exposed cloud assets as perimeter systems. Assume they will face automated exploitation. Validate configurations continuously. And prepare to respond when the inevitable foothold appears. Because in this environment the next infection is rarely far away.


WebProNews is an iEntry Publication