Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PCPJack Linux cloud credential-theft and persistence framework

Malware Activity
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

The PCPJack malware framework is stealing credentials from exposed Linux cloud systems, creating a broad risk of account takeover and lateral movement. It targets services including Docker, Kubernetes, Redis, MongoDB, and RayML while also removing TeamPCP access from compromised systems. The framework exfiltrates secrets to Telegram, installs persistence, and spreads by scanning for exposed services and exploiting known vulnerabilities such as CVE-2025-29927 and CVE-2025-55182. Its activity can expose developer and cloud accounts, opening the door to fraud, resale, and extortion.

Related Happenings

TeamPCP campaign expands across multiple victims

Campaign
First: 15.05.2026 13:54 Last: 15.05.2026 13:54 Sources 1

About this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

PCPJack TeamPCP-targeting cloud credential theft campaign

Campaign
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...

Open Happening

PCPJack worm-like credential theft framework

Malware Activity
First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

Timeline

  1. 07.05.2026 21:35 2 articles · 20d ago

    SentinelLabs discloses PCPJack cloud credential theft framework

    Initial Disclosure

    SentinelLabs disclosed PCPJack, a malware framework targeting Linux-based cloud systems and exposed cloud infrastructure to steal credentials, remove TeamPCP access, and spread through exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML. The malware uses bootstrap.sh to create a hidden working directory, install dependencies, download modules, establish persistence, and launch monitor.py, then harvests SSH keys and credentials, performs lateral movement, encrypts stolen data with X25519 ECDH and ChaCha20-Poly1305 for exfiltration to Telegram, and reuses known vulnerabilities including CVE-2025-29927, CVE-2025-55182, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703.

    Show sources
    Open in new tab