PCPJack TeamPCP-targeting cloud credential theft campaign
Campaign
Summary
Hide ▲
Show ▼
A new PCPJack campaign is targeting TeamPCP victims by worming across exposed cloud infrastructure, creating a fresh risk of credential theft and unauthorized reuse of cloud access. The framework strips TeamPCP artifacts before moving laterally through the victim environment. It can steal credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. The activity appears designed for monetization through stolen access rather than crypto-mining.
Related Happenings
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor Meta
First: 19.05.2026 07:54
Last: 19.05.2026 07:54
Sources 1
About this happening:
**TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor MetaAbout this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP campaign expands across multiple victims
Campaign
First: 15.05.2026 13:54
Last: 15.05.2026 13:54
Sources 1
About this happening:
The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
TeamPCP campaign expands across multiple victims
CampaignAbout this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Timeline
-
08.05.2026 12:00 2 articles · 19d ago
PCPJack disclosure on TeamPCP victims
Initial DisclosureSentinelOne disclosed PCPJack, a credential theft framework aimed at victims of TeamPCP that worms across exposed cloud infrastructure, removes TeamPCP artifacts, and steals credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications; the company also recommended using a credential vault or secrets management service, enforcing MFA for service accounts, enforcing IMDSV2 in AWS, allow-listing downloads from approved S3 resources, authenticating Docker and Kubernetes, and applying least privilege to Kubernetes service accounts.
Show sources
- PCPJack Campaign Boots TeamPCP Off Compromised Machines — www.infosecurity-magazine.com — 08.05.2026 12:00
- PCPJack Campaign Boots TeamPCP Off Compromised Machines — www.infosecurity-magazine.com — 08.05.2026 12:00