Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PCPJack worm-like credential theft framework

Malware Activity
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

The PCPJack malware framework now conducts credential theft across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters because the toolset harvests secrets from cloud, container, developer, productivity, and financial services and exfiltrates them through attacker-controlled infrastructure. The orchestrator spreads worm-like across Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web apps by exploiting CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Analysts assess the operation as financially motivated, with stolen access potentially used for fraud, spam, extortion, or resale.

Related Happenings

TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline

Threat Actor Meta
First: 18.05.2026 22:53 Last: 18.05.2026 22:53 Sources 1

About this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...

Open Happening

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

Major South Korean electronics manufacturer hit by data theft breach

Incident
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

PCPJack TeamPCP-targeting cloud credential theft campaign

Campaign
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...

Open Happening

Timeline

  1. 07.05.2026 20:45 2 articles · 20d ago

    PCPJack credential theft framework disclosed

    Initial Disclosure

    Cybersecurity researchers disclosed PCPJack, a new credential theft framework targeting exposed cloud infrastructure and removing TeamPCP artifacts from compromised environments. The framework harvests credentials from cloud, container, developer, productivity, and financial services, encrypts stolen data before exfiltration, uses Telegram for command-and-control, and spreads worm-like across Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications through a bootstrap shell script, six Python payloads, Common Crawl parquet targets, and exploitation of CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703.

    Show sources
    Open in new tab