PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
Summary
Hide ▲
Show ▼
PCPJack is a Linux cloud malware framework that steals credentials from exposed cloud systems and now has been tied to a covert SMTP relay network running on AWS, Google Cloud, and Microsoft Azure. Hunt.io said compromised business servers across the U.S., Europe, and Asia were converted into SMTP proxies, with open directories on C2 213.136.80[.]73 exposing source code, binaries, Sliver configuration, and Chisel tooling. The infrastructure remained active when found, with verified proxies enriched through api.ipify[.]org and ip-api[.]com and synced every five minutes to 38.242.204[.]245. SentinelOne first identified PCPJack in April 2026 as a cloud-focused credential theft framework, and the new activity shows the malware being used for scalable email relay operations.
Related Happenings
PCPJack covert SMTP relay campaign
Campaign
H score37
First: 05.06.2026 08:34
Last: 05.06.2026 08:34
Sources 1
How related:
The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network.
About this happening:
The **PCPJack** campaign converted hijacked **AWS, Google Cloud, and Microsoft Azure** servers into a covert **SMTP relay network**, enabling large-scale email delivery through ve...
PCPJack covert SMTP relay campaign
CampaignHow related: The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network.
About this happening: The **PCPJack** campaign converted hijacked **AWS, Google Cloud, and Microsoft Azure** servers into a covert **SMTP relay network**, enabling large-scale email delivery through ve...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
TeamPCP campaign expands across multiple victims
Campaign
H score49
First: 15.05.2026 13:54
Last: 15.05.2026 13:54
Sources 1
About this happening:
The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
TeamPCP campaign expands across multiple victims
CampaignAbout this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware Activity
H score27
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware ActivityAbout this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
Timeline
-
05.06.2026 08:34 1 articles · 1mo ago
PCPJack converts AWS, Google Cloud, and Azure servers into SMTP relay network
Campaign Scope UpdateHunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
Show sources
- PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network — thehackernews.com — 05.06.2026 08:34
-
07.05.2026 21:35 2 articles · 2mo ago
SentinelLabs discloses PCPJack cloud credential theft framework
Initial DisclosureSentinelLabs disclosed PCPJack, a malware framework targeting Linux-based cloud systems and exposed cloud infrastructure to steal credentials, remove TeamPCP access, and spread through exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML. The malware uses bootstrap.sh to create a hidden working directory, install dependencies, download modules, establish persistence, and launch monitor.py, then harvests SSH keys and credentials, performs lateral movement, encrypts stolen data with X25519 ECDH and ChaCha20-Poly1305 for exfiltration to Telegram, and reuses known vulnerabilities including CVE-2025-29927, CVE-2025-55182, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703.
Show sources
- New PCPJack worm steals credentials, cleans TeamPCP infections — www.bleepingcomputer.com — 07.05.2026 21:35
- New PCPJack worm steals credentials, cleans TeamPCP infections — www.bleepingcomputer.com — 07.05.2026 21:35