PCPJack credential stealer exploits five cloud CVEs

SentinelOne published technical details this week about PCPJack, a credential-stealing framework that targets exposed cloud infrastructure. The tool harvests secrets from containers and cloud services and spreads in a worm-like fashion across Docker, Kubernetes, Redis, MongoDB and RayML. The operator uses Telegram for command-and-control and at least five public CVEs for propagation: CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501 and CVE-2025-48703.

SentinelOne researcher Alex Delamotte described the toolkit as harvesting ‘credentials from cloud, container, developer, productivity, and financial services’ and exfiltrating them through attacker-controlled infrastructure while attempting to spread to additional hosts. The analysis outlines a multi-stage attack that begins with a bootstrap shell script that prepares the host, installs Python, downloads follow-on tooling, establishes persistence and then removes itself.

The bootstrap script also searches for and evicts components attributed to TeamPCP from infected systems. After initial setup, PCPJack writes six Python modules to disk and launches an orchestrator written to disk as monitor.py (the codebase refers to the orchestrator as worm.py). Modules perform credential collection and parsing, lateral movement across SSH, Kubernetes, Docker, Redis, RayML and MongoDB, encryption of stolen data before exfiltration, daily refresh of cloud provider IP ranges, and cloud port scanning for externally reachable services.

Propagation targets are gathered in part by downloading parquet files from the Common Crawl archive, which the actor uses to build a list of externally exposed services. When data is exfiltrated, operator telemetry includes a field labeled PCP replaced that reports whether TeamPCP artifacts were removed; this field is sent to the Telegram command channel used for C2.

Analysis of the actor’s infrastructure uncovered an additional script named check.sh that detects CPU architecture and fetches an appropriate Sliver implant. The script queries cloud Instance Metadata Service endpoints, Kubernetes service accounts and Docker instances for credentials tied to services including Anthropic, DigitalOcean, Discord, Google API, Grafana Cloud, HashiCorp Vault, 1Password and OpenAI, and forwards harvested items to an external server.

SentinelOne’s report notes PCPJack does not deploy cryptocurrency miners and removes miner functions associated with TeamPCP. The company assesses the campaign’s likely objectives include generating revenue through credential theft, fraud, spam, extortion or resale of access. SentinelOne published technical module descriptions and indicators of compromise to support defenders and investigators.