PCPJack Doesn't Just Steal Your Credentials. It Kicks Out Other Hackers First.

The exposed Docker host you haven't patched isn't between you and one attacker. It's contested terrain between three or four — and one of them is keeping score.

SAN FRANCISCO — SentinelLABS disclosed on May 7, 2026 a previously undocumented Linux cloud worm dubbed PCPJack that exploits five known CVEs across exposed Docker, Kubernetes, Redis, MongoDB, and RayML services to harvest credentials at scale. The framework's distinguishing feature is operational rather than technical: before establishing persistence, PCPJack actively searches for and removes any artifacts left by rival cloud threat group TeamPCP, then reports a "PCP replaced" success metric to its command-and-control servers.

Researcher Alex Delamotte at SentinelLABS discovered PCPJack on April 28 via a Kubernetes-focused VirusTotal hunting rule and assesses the operator may be a former TeamPCP member based on tooling overlap. Unlike most cloud crimeware, PCPJack does not deploy cryptocurrency mining — a deliberate departure that signals a shift toward direct credential monetization, fraud, and resale of access. For organizations running cloud workloads exposed to the public internet, this is an immediate patch-and-rotate event with implications well beyond the named framework. The same dynamic mapped onto the Quasar Linux RAT credential-theft pattern from earlier this month: developer-credential file harvesting is now the dominant cloud crimeware monetization model.

The five CVEs and the Common Crawl pivot

PCPJack exploits CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703 to establish initial access on exposed cloud services. The target acquisition method is the operationally interesting detail: per gblock.app's analysis, the operator pulls Common Crawl parquet files, filters for service banners matching the target list, and sprays a bootstrap script at every match. The same dataset that sits behind LLM training is now sitting behind cloud target acquisition.

Once initial access is established, a Linux shell script named bootstrap.sh sets up the environment, removes TeamPCP artifacts including processes, services, containers, files, and persistence, creates a Python virtual environment, downloads six Python modules from an AWS S3 bucket, renames them to bland names like worm.py or monitor.py, establishes its own persistence, launches the orchestrator, and self-deletes. The modules cover credential parsing, lateral movement, command-and-control message encryption, cloud IP range lookups, and cloud scanning.

What it steals

PCPJack targets .env files, configuration files, environment variables, SSH keys, cryptocurrency wallets, and a long list of cloud and SaaS service tokens — AWS, Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, 1Password, OpenAI, Slack, and WordPress configurations among them. Container credentials for Kubernetes and Docker are also in scope. Exfiltration uses X25519 ECDH and ChaCha20-Poly1305 encryption, splits payloads into 2,800-byte chunks to respect Telegram message character limits, and routes everything through Telegram channels.

Two operational security lapses are worth flagging for defenders: per iTnews, the operator failed to encrypt the token for the attacker's Telegram C2 bot and failed to encrypt the credential decryption key. The rest of the codebase is described as well-developed, which makes the lapses unusual but useful for hunting.

Why the rival eviction matters

TeamPCP is the cloud-focused threat group behind February 2026's Aqua Security Trivy compromise, the LiteLLM and Telnyx PyPI package trojanizations, and the SAP npm "Mini Shai-Hulud" worm. SentinelLABS notes that many of the services PCPJack targets overlap with TeamPCP's early campaigns from December 2025, and assesses the operator may be a former TeamPCP member who is deeply familiar with the group's tooling. TeamPCP's X account was suspended on April 19; before suspension, the group made a post alluding to threat actor "identity theft."

What PCPJack tracks back to its operators — the "PCP replaced" success counter — is the editorially distinguishing detail. Most cloud crimeware silently competes with rivals for the same compromised infrastructure. PCPJack quantifies its rival displacement and reports it as a metric. For defenders, the implication is that the same exposed Docker host can be compromised, evicted, and re-compromised multiple times in a short window, with each attacker assuming they own the box. Update IR playbooks accordingly.

The CyberSignal Analysis

Signal 01 — Cloud crimeware is moving past mining

The deliberate absence of cryptocurrency mining in PCPJack is the more interesting finding than the rival-eviction mechanism. Mining was the lazy default for cloud crimeware because it produces revenue without doing the harder work of monetizing stolen credentials. PCPJack's operator decided credential theft, fraud, and resale of access are worth the additional effort. That means the next wave of exposed-Docker-host campaigns will increasingly look like infostealer operations, not coin miners — and the relevant detection signals shift from CPU anomalies to outbound credential exfiltration.

Signal 02 — Common Crawl is now reconnaissance infrastructure

If your cloud services are reachable from the public internet, they are findable in Common Crawl, period. Standard tradecraft now assumes service-banner matching against the dataset, not noisy port scanning. The defensive implication: removing exposure from the public internet is more valuable than detection, because detection inside the cloud crimeware acquisition pipeline now happens before any traffic reaches your environment.

Signal 03 — Telegram is a production C2 channel for cloud crimeware

PCPJack routes credential exfiltration to Telegram, with explicit logic to chunk payloads to fit Telegram's message size limits. Production cloud workloads almost never need to reach api.telegram.org. Add it to your egress monitoring and DNS blocklists for production tenants, treat any outbound connection from a production host as a potential indicator of compromise, and review the workload's recent process tree before assuming it's a misconfiguration.

What to do this week

1. Patch CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703 across exposed Docker, Kubernetes, Redis, MongoDB, and RayML deployments. Run a fresh exposure audit afterward to confirm none of these services are still publicly reachable.
2. Rotate API keys for AWS, Anthropic, OpenAI, HashiCorp Vault, 1Password, DigitalOcean, Slack, and any SaaS provider whose tokens may live in .env files on cloud hosts. Treat tokens as session credentials, not permanent ones, and move secrets to a vault with audit logging where they aren't already.
3. Add detection for: processes named monitor.py or worm.py launched from a Python virtual environment outside change-control; bash scripts that delete TeamPCP-related files before establishing their own persistence; AWS S3 bucket downloads to /tmp or /dev/shm; and outbound traffic from production cloud workloads to api.telegram.org.

Sources