A New Credential Stealer Called PCPJack Tracks Whether You're Already Infected by Its Rivals—Then Kicks Them Out

How PCPJack Gets In

The framework targets internet exposed services that have either default configurations or unpatched CVEs:

• Docker daemons exposed without authentication
• Kubernetes API servers reachable from the internet
• Redis instances with no auth
• MongoDB with default credentials
• RayML distributed compute clusters
• Vulnerable web applications exploitable via five known CVEs: CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703

The target list comes from Common Crawl—the same public web archive a researcher might use for academic analysis. The operator pulls Common Crawl parquet files, filters them for service banners that match its target list, and then sprays its bootstrap script at every match. The same dataset that sits behind LLM training is now sitting behind cloud target acquisition.

What Lands on the Victim

A bootstrap shell script handles the early stages: it removes any TeamPCP artifacts from the host, installs Python if needed, sets up persistence, and downloads six Python modules with deliberately bland names:

• worm.py (monitor.py) — the main orchestrator. Launches the other modules, runs local credential theft, and drives propagation through CVE exploitation.
• parser.py (utils.py) — extracts credentials from harvested files and categorizes them by service.
• lateral.py (_lat.py) — handles internal reconnaissance and lateral movement.
• crypto_util.py (_cu.py) — encrypts captured credentials before exfiltration.
• cloud_ranges.py (_cr.py) — refreshes IP ranges from AWS, Google Cloud, Azure, Cloudflare, Cloudfront, and Fastly every 24 hours.
• cloud_scan.py (_csc.py) — scans those ranges to find new external propagation targets.

A separate check.sh script detects the host's CPU architecture and fetches the matching Sliver implant binary—Sliver is the open source command and control framework Sliver Labs ships, frequently abused by criminal operators because it is well documented and free. PCPJack also queries cloud instance metadata service (IMDS) endpoints and Kubernetes service accounts on its way through.

The Credential Catalog

Where PCPJack stands out from generic stealers is the depth of its credential catalog. The parser does not just sweep .env files and SSH keys. It looks for tokens issued by specific high value APIs, including:

• Anthropic API keys
• OpenAI API keys
• HashiCorp Vault tokens
• 1Password service account tokens
• Grafana Cloud API tokens
• Digital Ocean tokens
• Discord tokens
• Google API keys

An exposed Anthropic or OpenAI key is now worth real money on the model abuse market. An attacker can run inference against the victim's account—racking up dollar figures in API charges that the victim absorbs—or sell the key directly to operators of LLM proxies who advertise "GPT-4 access for cheap." The same logic applies to every other API key on the list.

Encrypted stolen data exits the host through Telegram. Telegram remains the C2 channel of choice for low effort criminal operations because it offers reliable bots, no platform takedown pressure for criminal use cases, and free hosting.

Why the "PCP Replaced" Metric Matters

PCPJack shares targeting overlap with TeamPCP—the same group behind the Mini Shai-Hulud npm worm that hit SAP packages in late April and the PyPI campaign that hid malware in WAV audio files. PCPJack and TeamPCP target the same kinds of hosts. The bootstrap script, in fact, deliberately removes TeamPCP artifacts.

SentinelOne's working theory is that PCPJack is the work of a former TeamPCP member who took the playbook and broke off. The framework tracks whether TeamPCP was already on the host and reports back to operators every time it evicted them. Where TeamPCP installs a cryptocurrency miner, PCPJack does not—the operator deliberately stripped that out. PCPJack only takes credentials.

That detail is important because it changes the economic logic of cloud worm campaigns. Mining campaigns are loud and resource intensive—the victim notices the CPU pinned at 100%. A pure credential stealer wants to be quiet. By stripping the miner and adding rival eviction logic, PCPJack signals that the operator believes credentials are now more valuable than mining returns from any given host. That trade has been moving in this direction for two years. The "PCP replaced" metric is what that movement looks like in code.

Why This Matters Beyond Cloud Operators

The credentials PCPJack steals do not stay in the cloud. They flow into downstream attacks against the people whose data sits behind those services.

A stolen Discord token gets used to phish a server's members. A stolen OpenAI key gets used to run inference against employees' chat logs. A stolen Anthropic key gets resold to whoever is running the next fake Claude AI site. A stolen email service token gets used to send phishing emails from a domain real customers already trust—exactly the pattern that hit Amazon SES customers earlier this month.

The downstream effect of a cloud credential breach is rarely contained to the cloud. The exposed Anthropic key on a developer's laptop today is the phishing email a marketing director receives next month.

What to Do

If you operate cloud workloads, the defensive playbook is unglamorous but works against PCPJack and the half dozen other frameworks that look like it:

• Take Docker, Kubernetes, Redis, and MongoDB off the public internet. If a service must be exposed, put it behind authentication and a firewall. Default open is no longer survivable.
• Patch the five referenced CVEs. CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703 are all public.
• Rotate API keys regularly. Treat keys for Anthropic, OpenAI, Vault, 1Password, Digital Ocean, and similar services as session tokens, not as permanent credentials.
• Use scoped service accounts. An IAM principal that can only read one S3 bucket survives a credential leak in a way that an admin token does not.
• Watch outbound traffic to Telegram. Production cloud workloads almost never need to reach api.telegram.org. A workload that suddenly does is the C2.
• Subscribe to your own cloud provider's IP range feeds. PCPJack uses them to hunt. Your detection pipeline can use them to know when something inside your tenant starts scanning them.

For developers who keep keys in .env files: the half measures—obscure filenames, custom env vars, in repo encryption—do not slow PCPJack down. The parser knows what an Anthropic API key looks like regardless of what the variable is called. A credential vault with short lived tokens issued at runtime is the only meaningful protection.

The Bottom Line

PCPJack is small, modular, and quiet. It does not break new technical ground. What it documents is a market shift: criminal operators have stopped trying to make money from a victim's CPU and started competing for a victim's credentials, because the credentials are worth more than the compute.

An exposed Docker daemon used to be a free GPU farm. In 2026 it is a token harvester. The next generation of intrusions—the phishing campaigns, the supply chain attacks, the impersonation emails—will be built on the credentials harvested by frameworks like this one.