PCPJack Credential Stealer Exploits Five CVEs to Spread Across Cloud Infrastructure

TL;DR — A new credential theft framework called PCPJack targets exposed cloud infrastructure by exploiting five known vulnerabilities to propagate in a worm-like pattern. The toolset harvests credentials from Docker, Kubernetes, and major cloud providers, then exfiltrates data via Telegram. The campaign shares significant overlap with TeamPCP but notably lacks cryptocurrency mining functionality.

What happened

SentinelOne researchers disclosed PCPJack, a modular credential theft framework designed to compromise cloud environments and lateral move across container orchestration platforms and data stores. The attack begins with a bootstrap shell script that prepares the target environment, downloads six Python modules, establishes persistence, and removes itself after deployment.

The six Python payloads handle distinct attack phases: credential harvesting from local systems and cloud metadata endpoints; lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services; reconnaissance; encryption of stolen secrets; collection and maintenance of IP address ranges from major cloud providers; and external propagation via cloud port scanning.

PCPJack propagates to new hosts by exploiting five known vulnerabilities: CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Propagation targets come from Common Crawl datasets, allowing the worm to identify and scan for vulnerable cloud services at scale. The threat actors use Telegram for command-and-control communications.

The toolset actively searches for credentials from productivity and SaaS platforms including Anthropic, Digital Ocean, Discord, Google APIs, Grafana Cloud, HashiCorp Vault, 1Password, and OpenAI. It also scans Instance Metadata Service (IMDS) endpoints and Kubernetes service account tokens. Notably, when exfiltrating stolen credentials, the operator logs a "PCP replaced" metric to their command server, tracking whether TeamPCP artifacts have been successfully evicted from targeted environments.

A secondary shell script ("check.sh") detects the target CPU architecture and downloads the appropriate Sliver binary—an open-source command-and-control framework—for post-exploitation activity.

Why it matters

For cloud infrastructure operators and developers, PCPJack presents a multi-layered threat. The worm's ability to self-propagate across cloud services using known CVEs means that unpatched systems face rapid compromise. Once inside a network, the framework moves laterally through container orchestration platforms and data stores, accessing secrets stored in Kubernetes service accounts, Docker configurations, and cloud provider metadata endpoints.

The credential harvesting scope is particularly broad. PCPJack collects not only infrastructure credentials but also API keys and authentication tokens for third-party SaaS and developer tools. These stolen credentials enable attackers to pivot into additional systems and accounts beyond the initial breach, multiplying the blast radius of a single compromise.

The operational emphasis on displacing TeamPCP from environments suggests targeted, competitive activity rather than indiscriminate cloud scanning. This indicates that PCPJack operators are actively hunting for and taking over infrastructure already compromised by rival threat actors—a pattern that may accelerate credential theft across MENA-region cloud deployments if they become targets.

The use of Telegram as a command-and-control channel complicates detection, as the platform is widely used and difficult to restrict without disrupting legitimate traffic.

Affected systems and CVEs

• Docker
• Kubernetes
• Redis
• MongoDB
• RayML
• AWS
• Google Cloud
• Microsoft Azure
• Cloudflare
• Cloudfront
• Fastly
• Anthropic
• Digital Ocean
• Discord
• Google API
• Grafana Cloud
• HashiCorp Vault
• 1Password
• OpenAI

CVEs exploited for propagation:

• CVE-2025-55182
• CVE-2025-29927
• CVE-2026-1357
• CVE-2025-9501
• CVE-2025-48703

What to do

• Patch all systems vulnerable to the five CVEs listed above immediately, prioritizing externally facing services and cloud infrastructure.
• Monitor for and terminate processes matching the PCPJack module signatures (worm.py, parser.py, lateral.py, crypto_util.py, cloud_ranges.py, cloud_scan.py, check.sh).
• Audit and delete any Sliver binaries from systems.
• Restrict and monitor access to Instance Metadata Service (IMDS) endpoints; disable IMDS where not required.
• Review and rotate credentials stored in Kubernetes service accounts, Docker configurations, and cloud provider metadata.
• Implement network segmentation to limit lateral movement between cloud services, particularly between container platforms and data stores.
• Monitor outbound traffic to Telegram for suspicious command-and-control communications.
• Scan for unauthorized credential extraction from HashiCorp Vault, 1Password, and other secrets management tools.
• Enable logging and alerting for failed authentication attempts and unusual API activity on cloud provider accounts.

Open questions

• What is the timeline of the PCPJack campaign, and when did it begin operating.
• What is the scale and scope of actual compromised environments and organisations.
• Are PCPJack operators definitively former members of TeamPCP, or is this a separate threat cluster with overlapping tactics.
• Why did the operators exclude cryptocurrency mining despite its established profitability in cloud environments.
• What is the full list of organizations, sectors, or geographic regions being targeted.
• Are additional tools or payloads beyond the six Python scripts and Sliver deployment currently in use by this group.

Source

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems