PCPJack is a dangerous cloud credential theft worm discovered by SentinelLABS on April 28 2026 that first removes rival TeamPCP threat actor tools then harvests AWS Kubernetes Docker Redis Slack Stripe and crypto credentials from exposed cloud infrastructure at global scale.
Imagine this scene for a second. An attacker reaches another attackers infected servers. He uninstalls the previous malware. Then installs his own malware. And then systematically extracts credentials from that entire cloud infrastructure. AWS keys. Kubernetes tokens.
Docker secrets. Stripe API keys. Slack tokens. Binance and Coinbase and OpenAI keys. All in a single session. This is not a scene from a movie. On April 28, 2026 SentinelLABS researchers discovered a real threat named PCPJack. And when they dug deeper what they found was a new chapter in the world of cloud security.
PCPJack is not just a malware. It is a complete cloud credential harvesting framework that spreads like a worm. It is on Docker. It is on Kubernetes. It is on Redis. It is on MongoDB. It is on RayML. It targets all those exposed services which most of the developers and DevOps teams do not secure because they think that if they are on the internal network then they are safe.
And the strangest thing is that this framework starts its work by deleting the malware of another attacker. There was a threat actor group named TeamPCP which compromised Aqua Securitys Trivy vulnerability scanner in February 2026. PCPJack directly detects and removes artifacts and processes from that group and then establishes its own infrastructure. This level of competition in the threat actor ecosystem has rarely been documented before.
Complete Technical Framework of PCP
The infection begins with bootstrap.sh. This is a shell script designed for Linux systems. Its first task is to clean up its worst competitor. The script explicitly lists the names of all processes and services that were associated with TeamPCP and PCPC at campaigns. Every artifact is deleted.
Telegram bot token and hardcoded blocked IP addresses for self-protection
Every process is killed. A field named PCP Replaced is sent to the C2 server confirming whether TeamPCP was evicted or not. This means that the operator of PCPJack was literally tracking metrics of where the competitor was removed.
PCPcat processes services and file paths from infected cloud systems
After the bootstrap script the Python worm comes into play. The remaining modules are downloaded from the S3 bucket. Their names are changed on disk to make analysis difficult. monitor.py was the main orchestrator. utils.py was the credential parsing engine. _lat.py was for lateral movement. _cu.py was for data encryption. _cr.py was for cloud IP ranges. _csc.py was for external scanning. Each module was deliberately separated from the other modules so that one cannot understand the whole picture by analyzing a single module. Only monitor.py had the full dependency graph.
Sensitive strings were stored in the script as hex-encoded blobs. To decode there was a function that used the MD5 hash of the string urllib3.poolmanager as an XOR key. The name was deliberately kept like the name of a common Python library so as not to appear suspicious.
string as XOR key to decrypt obfuscated sensitive constants
But here the attacker made a basic operational security mistake. The Telegram bot token and credential decryption key were unencrypted. Such a sophisticated framework and yet missing the fundamentals shows that no matter how good the tools are operator discipline is important.
The scope of credential theft is mind-boggling. .env files were extracted from the local system. Environment variables provided API keys and database credentials. SSH private keys. Kubernetes service account tokens. Docker secrets. AWS IMDS credentials.
Cryptocurrency wallet files. Ethereum keystores. Solana keys. Then, deleted secrets in git history were also searched. The credential categories covered by utils.py included Binance, Bitcoin Coinbase, Kraken, OKX Stripe AWS GitHub Slack WordPress Gmail Microsoft Office 365 SendGrid Twilio Mailchimp Yandex. Other toolset check.sh also included some additional targets Anthropic OpenAI Discord, Google APIs, Grafana Cloud, HashiCorp Vault. 1Password keys were also targeted.
The propagation mechanism was simply amazing. The worm downloaded the list of targets from Common Crawl. Common Crawl is a legitimate nonprofit organization that maintains a vast archive of the internet and provides data for AI model training.
The worm downloaded parquet files containing hostname columns and then scanned these hostnames. Each infected node processed a separate window of parquet files based on date or seed index. Means did not require central coordination. Each node independently searched for targets. Up to 15 million entries were stored in deduplication set memory.
The framework used some very serious CVEs for exploitation. CVE-2025-55182 which was a server actions deserialization vulnerability in React and Next.js and had a CVSS score of 9.0. CVE-2026-1357 which was an unauthenticated file upload flaw in the WPVivid WordPress backup plugin and had a CVSS score of 9.8. CVE-2025-29927 which was a Next.js middleware authentication bypass. All these vulnerabilities enabled direct remote code execution in web applications.
Telegram was used for C2. The infected system posted data on one channel and received commands on another. The RUN command could execute any module on demand. The PARQUET command allowed the operator to manually assign new attack ranges to a node. This design was fully operator-controlled.
The lateral movement techniques described in lateral.py were directly dangerous for enterprise environments. In Kubernetes the namespaces of the entire cluster were enumerated using the service account token. ConfigMaps and Kubernetes Secrets were read directly from the API. There was also a container escape that mounted the host filesystem.
The worm also spread to connected remote hosts using Docker socket detection. Persistence was achieved in Redis through cron job rewrites. Credentials were extracted from MongoDB. Bootstrap.sh was run on fresh hosts using SSH keys. Credentials were extracted by submitting Python jobs to RayML clusters. This was a complete playbook to compromise an entire enterprise cloud environment with a single infection.
Another striking feature of the entire campaign there were no cryptominers. This was strange because almost every cloud attack campaign has XMRig or some other miner. TeamPCP also had miners in its campaigns. PCPJack deliberately removed the miners.
This suggests that the operator of PCPJack was taking a different approach to monetization. Reselling credentials. Committing financial fraud. Running spam campaigns. Using Slack and business database credentials for extortion. This is a more patient and more targeted monetization strategy.
The second toolset check.sh was slightly different. It was an 858-line script. After collecting credentials, the Sliver C2 beacon was deployed. Sliver is an open source command and control framework. Binaries were obfuscated with garble which scrambles Go type names. However analysis confirmed Sliver using protobuf field tags and RPC strings. Exfiltration used a typosquatted domain cdn.cloudfront-js.com which was a fake version of CloudFront.
How to Defend Against PCPJack Cloud Worm Attacks in 2026
The first impression from the scope of PCPJack is that its only for advanced organizations. But this is wrong. This framework uses public web scan data from Common Crawl meaning any exposed Docker endpoint or Kubernetes dashboard visible on the internet will automatically be scanned. Theres no specific targeting. There no manual recon. The worm finds itself.
The first and most important mitigation is to never expose Docker sockets to the internet. Unauthorized access to /var/run/docker.sock enables a complete container escape. Exposing the Kubernetes management API without authentication is equally dangerous. Authentication should also be mandatory on Redis and MongoDB. These are the basics but in the real world there are countless exposed instances which proves that the basics are ignored.
IMDSv2 must be enforced in AWS environments. PCPJack explicitly extracts credentials from IMDSv1. This vector is blocked if IMDSv2 is enforced. Service accounts in Kubernetes must follow the least privilege principle. If a pod is to operate only in a specific namespace and it should not have cluster wide read access.
Use an enterprise-wide vault solution for secret management. HashiCorp Vault or AWS Secrets Manager. Storing credentials in clear text config files is a direct invitation to attack. Secrets committed in GitHub repositories are a separate threat vector. The _mgr module specifically scans git history for deleted secrets. Means If you ever accidentally committed credentials and later deleted them, they are also on PCPJacks radar.
At the network monitoring layer connections that are downloading Common Crawl parquet files should be flagged. This is an unusual network behavior. Outbound bot API calls to Telegram that are in unusual volumes are also a detection signal. The creation of the /var/lib/.spm/ directory should configure an alert in endpoint detection tools. Unexpected systemd services like sys-monitor.service or spm-worker.service should be investigated immediately.
The domains cdn.cloudfront-js.com and lastpass-login-help.com in the IOCs and the S3 bucket spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com should be blocked in DNS filtering and firewalling. The German VPS IPs hardcoded in bootstrap.sh should also be on the blocklist.
There a common assumption in the world of cloud security We are in the cloud so managed security is the cloud providers responsibility. PCPJack shattered this assumption. AWS Azure or GCP secure your data centers but not your containers. Not your Kubernetes pods.
Not your exposed Redis instances. When a worm enters through a single exposed Docker port it can spread throughout the entire cluster. Its not just credentials that are taken out the entire infrastructure becomes a pivot point. PCPJacks name was an inside joke against a rival attacker. But that joke contained a serious message no one belongs to anyone in the cloud. And when attackers are victimising each other and it becomes very important to think about where the defenders stand.
