PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

On May 7, 2026, cybersecurity researchers at SentinelOne disclosed a new modular credential theft framework named PCPJack, designed to target exposed cloud, container, and developer environments. The toolset harvests credentials from a wide range of services, exfiltrates data to attacker-controlled infrastructure, and spreads worm-like across compromised networks by exploiting five known security vulnerabilities.

"The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in the report published today. The campaign’s end goal is illicit revenue generation through credential theft, fraud, spam, extortion, or resale of stolen access.

Connection to TeamPCP

This activity shares significant targeting overlaps with TeamPCP, a threat actor that rose to prominence in late 2025 by exploiting known flaws such as React2Shell and cloud misconfigurations to enlist endpoints in a network for data theft and post-exploitation actions. Unlike TeamPCP, PCPJack does not include a cryptocurrency mining component. Researchers assess PCPJack may be operated by a former TeamPCP member familiar with the group’s tradecraft, as the toolset actively removes all TeamPCP artifacts from compromised environments.

When exfiltrating system information and credentials, PCPJack operators even collect success metrics on whether TeamPCP has been evicted from targeted environments in a "PCP replaced" field sent to the command-and-control (C2) server. "This implies a direct focus on the threat actor's activities rather than pure cloud attack opportunism," Delamotte noted.

Key Technical Details

The attack chain starts with a bootstrap shell script used to prepare the target environment, configure the payload host, and download next-stage tooling. The script also infects the attacker’s own infrastructure, terminates and removes TeamPCP processes and artifacts, installs Python, establishes persistence, downloads six Python scripts, launches the orchestration module, and deletes itself to avoid detection.

The six Python payloads are:

• worm.py (written to disk as monitor.py): The main orchestrator that launches purpose-built modules, conducts local credential theft, propagates the toolset to other hosts by exploiting five known CVEs (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703), and uses Telegram for C2 communications.
• parser.py (also labeled utils.py): Handles credential extraction and categorizes stolen keys and secrets.
• lateral.py (written to disk as _lat.py): Facilitates reconnaissance, harvests secrets, and enables lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services.
• crypto_util.py (written to disk as _cu.py): Encrypts credentials before exfiltration to the attacker’s Telegram channel.
• cloud_ranges.py (written to disk as _cr.py): Collects IP address ranges assigned to Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly, refreshing the data every 24 hours.
• cloud_scan.py (written to disk as _csc.py): Runs cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services.

Targeted Services and Propagation Methods

PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing operators to spread in a worm-like fashion and move laterally within compromised networks.

Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides public archives and datasets at no cost.

Further analysis of the threat actor’s infrastructure uncovered another shell script named "check.sh" that detects the target CPU architecture and fetches the appropriate binary for Sliver, a cross-platform adversary simulation framework. The script also scans Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, 1Password, and OpenAI, then transmits them to an external server.

SentinelOne researchers noted the two toolsets are well-developed, with a modular framework design despite some redundancies in behavior. "This campaign does not [deploy miners], and it deliberately removes the miner functions associated with TeamPCP. Despite that, this actor has well-defined scopes for extracting cryptocurrency credentials," the report states.

Practical Mitigation Steps

Organizations running cloud infrastructure, containers, or developer tools should take immediate action to protect against PCPJack:

1. Patch all exploited CVEs: Prioritize updating systems affected by CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Check all instances of Docker, Kubernetes, Redis, MongoDB, RayML, and public-facing web applications for unpatched vulnerabilities. Reference the MITRE CVE Database for full details on each flaw.
2. Monitor for indicators of compromise: Scan environments for the six Python scripts (monitor.py, utils.py, _lat.py, _cu.py, _cr.py, _csc.py), the bootstrap shell script, and check.sh. Watch for suspicious Telegram traffic, especially communications to unknown channels or high volumes of data exfiltrated to Telegram.
3. Audit for TeamPCP remnants: Since PCPJack actively removes TeamPCP artifacts, check for signs of prior TeamPCP activity, including old miner processes, leftover configuration files, or unauthorized access tied to the group’s known tradecraft.
4. Secure IMDS endpoints: Restrict access to IMDS v1, use IMDS v2 with session tokens for cloud instances, and avoid hardcoding credentials in instance metadata or environment variables.
5. Rotate targeted credentials: Immediately rotate all credentials for Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, 1Password, OpenAI, and all cloud provider accounts. Audit access logs for unauthorized use of these credentials.
6. Monitor Python execution: PCPJack relies heavily on Python. Track unexpected Python script execution, especially scripts that access cloud service credentials, scan network ports, or communicate with external servers. Use endpoint detection tools to flag unauthorized Python processes.
7. Control Common Crawl access: If your organization does not use Common Crawl datasets, block or monitor downloads of parquet files from commoncrawl.org to prevent PCPJack from pulling target lists.
8. Implement least privilege and segmentation: Limit permissions for Docker, Kubernetes, Redis, and MongoDB instances to prevent lateral movement. Use network segmentation to isolate critical cloud infrastructure from public-facing services, and restrict SSH access to only authorized users.

Worm-like malware can compromise an entire cloud environment from a single vulnerable entry point, so rapid patching and monitoring are critical to preventing widespread damage.