PCPJack: The Worm That Evicts Rival Malware and Steals
PCPJack: The Worm That Evicts Rival Malware and Steals AI Credentials
A new Linux worm dubbed PCPJack is circulating in cloud environments, and it does something unusual: it actively removes competing malware before stealing every credential it can find. SentinelLabs disclosed the campaign in May 2026, describing a toolset that targets Docker, Kubernetes, Redis, MongoDB, Ray ML clusters, and WordPress instances at scale. The operators are likely a former member of the TeamPCP group — the same threat actor behind the March 2026 Trivy supply chain compromise — and they know the group’s infrastructure well enough to evict it from compromised hosts.
The implications for cloud operations teams are direct: five separate CVEs are being chained for initial access, lateral movement uses container escape techniques against default Docker and Kubernetes configurations, and the primary payload targets AI service API keys alongside traditional cloud credentials. If you run containers, ML infrastructure, or WordPress in cloud environments, this campaign is in your threat model whether you knew it or not.
The Five CVEs That Open the Door
PCPJack gains initial access through a combination of internet-wide scanning and exploitation of five known vulnerabilities, all of which have patches available:
- CVE-2025-29927 (CVSS 9.1) — Authentication bypass in Next.js middleware. An attacker adds a crafted
x-middleware-subrequestheader and skips authorization entirely. NVD - CVE-2025-55182 (“React2Shell”, CVSS 10.0) — Deserialization flaw in React Server Components and Next.js enabling remote code execution through the React Flight protocol. Actively exploited within hours of its December 2025 disclosure. Akamai Security Research
- CVE-2025-48703 — OS command injection in CentOS Web Panel’s file manager, exploitable by unauthenticated attackers. Over 220,000 internet-facing instances were vulnerable at disclosure. Cybersecurity News
- CVE-2025-9501 — PHP injection in W3 Total Cache WordPress plugin, extending PCPJack’s reach into the WordPress hosting ecosystem. SentinelOne
- CVE-2026-1357 — Unauthenticated file upload in WPVivid Backup plugin for WordPress. The Hacker News
The common thread: every one of these has been patchable for months. PCPJack’s success rate depends entirely on unpatched, internet-facing infrastructure. The WordPress-focused CVEs alone give the worm access to an enormous attack surface — any hosting provider running outdated W3 Total Cache or WPVivid plugins on exposed instances is a potential entry point.
From Initial Access to Lateral Movement
Once a host is compromised, PCPJack’s orchestration script (pcpjack.py) executes a structured reconnaissance sweep. The attack chain follows a clear pattern:
- Environment preparation: A bootstrap shell script creates a hidden working directory, installs Python, establishes persistence through systemd services and cron jobs, downloads follow-on modules, and deletes itself. SentinelOne
- Competitor eviction: Before deploying its own tooling, PCPJack checks for and removes all traces of TeamPCP — processes, containers, services, files, and persistence mechanisms. The malware literally records whether it displaced TeamPCP from the target. iSec News
- Credential harvesting: Separate modules parse secrets from environment variables, configuration files, SSH keys, and cloud metadata endpoints (IMDSv1). SentinelOne
- Lateral movement: The worm scans for exposed Docker daemons (TCP ports 2375/2376 and Unix sockets), Kubernetes API servers with misconfigured RBAC, Redis instances vulnerable to cron rewrite, and Ray ML job submission APIs on port 8265. SentinelOne
The Docker attack is worth underscoring: PCPJack uses bind-mount techniques to access host filesystems from within containers. If your Docker daemon is exposed on TCP without TLS and authentication — still a surprisingly common misconfiguration — the worm gets a path to the host filesystem without needing a container escape exploit.
What Gets Stolen: Fourteen Categories of Credentials
The bot.py module categorizes harvested credentials into fourteen buckets. The scope is broad enough to be alarming:
| Category | Targets |
|---|---|
| Cloud IaaS | AWS access keys, DigitalOcean credentials, Kubernetes service account tokens |
| Container | Docker registry credentials, container runtime tokens |
| Developer tools | GitHub personal access tokens, HashiCorp Vault tokens |
| AI services | OpenAI API keys, Anthropic API keys |
| Productivity | Slack tokens, Office 365 credentials, 1Password service accounts |
| Observability | Grafana Cloud API keys |
| Financial | Binance, Coinbase, Gemini, Kraken, Stripe keys; crypto wallet files |
| Messaging | SendGrid, Mailgun, Mailchimp, Twilio, Amazon SES credentials |
The messaging category is a red flag. Stolen SendGrid and Mailgun credentials aren’t being collected for their own sake — they’re infrastructure for future phishing and spam operations. The combination of bulk messaging credentials with stolen cloud access keys suggests the operators plan to monetize through multiple channels: direct credential resale, inference abuse through stolen AI API keys, and spam/phishing campaigns using compromised email services.
Exfiltration uses Telegram as the C2 channel, with credentials encrypted via X25519 ECDH key exchange and ChaCha20-Poly1305 symmetric encryption, then split into 2,800-byte chunks to comply with Telegram’s message limits. Payload hosting runs through a typosquatted CloudFront domain (cdn.cloudfront-js.com:8443) and an attacker-controlled S3 bucket. SentinelOne
The AI Infrastructure Angle
PCPJack’s active targeting of OpenAI and Anthropic API keys, combined with its focus on Ray ML clusters, reflects a shift in attacker economics that security teams need to internalize. The malware has no cryptomining component — a deliberate choice. The operators have concluded that stealing AI infrastructure credentials is more profitable than commandeering compute for mining. Cloud Security Alliance
Against Ray ML clusters, PCPJack submits Python jobs to the Ray job submission API (port 8265) that instruct workers to exfiltrate environment variables and download the bootstrap script — propagating the infection into the ML compute environment with a single API call. Any organization running Ray clusters without token authentication and network segmentation is a sitting duck. SentinelOne
The targeting of HashiCorp Vault and 1Password credentials indicates a secondary goal: acquiring secrets-management access that unlocks cascading downstream credentials. A stolen Vault token doesn’t just give you one secret — it can give you hundreds.
What to Do Right Now
If you have cloud infrastructure matching PCPJack’s target profile, treat these as urgent:
- Patch all five CVEs. Every one has a vendor patch available. The Next.js and React Server Components patches in particular have been out for months and are well-documented. NVD, Akamai
- Firewall Ray ML APIs. Port 8265 should not be reachable from untrusted networks. If you run Ray clusters, enable token authentication immediately — the ShadowRay hardening guidance from Oligo Security provides the specifics. SentinelOne
- Disable Docker TCP exposure. Ports 2375 and 2376 should not accept unauthenticated connections. All Docker management should go through the Unix socket with appropriate access controls.
- Enforce IMDSv2 on all EC2 instances. IMDSv2 requires a session token for metadata access, which blocks the credential harvesting PCPJack’s modules perform against IMDSv1 endpoints.
- Hunt for IOCs. Check for the systemd service
pcpjack.service, cron entries invoking Python from unusual temporary paths, and outbound connections to Telegram API endpoints. If you find any, assume full credential compromise and rotate everything. SentinelOne - Block Telegram API at egress. If no legitimate business use exists for Telegram from your cloud infrastructure, block it at the network level. This disrupts the C2 channel even on already-infected hosts.
- Rotate credentials from prior TeamPCP exposure. Organizations affected by the March 2026 TeamPCP supply chain campaigns face elevated risk — PCPJack specifically targets the same environments. SecurityWeek
Longer-term: stop storing credentials in environment variables and configuration files. Use secrets management tooling, and treat AI API keys with the same rigor as privileged cloud credentials — short-lived tokens where platform support exists, per-workload scoping, and usage anomaly alerting. PCPJack is not the last worm that will target AI infrastructure credentials. It’s just the first one that figured out the economics.
References
- SentinelOne Labs: PCPJack — Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
- The Hacker News: PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
- Cloud Security Alliance: PCPJack — Cloud Worm Targeting AI Infrastructure Credentials
- SecurityWeek: PCPJack Worm Removes TeamPCP Infections, Steals Credentials
- Akamai: CVE-2025-55182 — React and Next.js Server Functions Deserialization RCE
- NVD: CVE-2025-29927 — Next.js Middleware Authentication Bypass
- Cybersecurity News: CWP OS Command Injection Vulnerability Exploited