Malware ‘PCPJack’ Replaces TeamPCP and Harvests Cloud Secrets Across Multiple Cloud Environments
What Happened — Researchers observed a new variant of the TeamPCP malware family, dubbed PCPJack, that overwrites the original payload and then scans cloud accounts for API keys, tokens, and other secrets. The malware leverages hidden Parquet files to map and validate targets while remaining stealthy.
Why It Matters for TPRM —
- Credential‑theft malware that can compromise any third‑party cloud service you rely on.
- Stealthy discovery techniques make detection difficult, increasing risk of lateral movement.
- Exfiltrated secrets can be reused to access SaaS, IaaS, and PaaS resources, amplifying supply‑chain exposure.
Who Is Affected — Cloud‑service providers, SaaS vendors, MSPs, and any organization that stores secrets (API keys, tokens, certificates) in cloud environments.
Recommended Actions —
- Review all third‑party cloud integrations for secret‑management hygiene.
- Enforce least‑privilege IAM policies and rotate credentials regularly.
- Deploy behavior‑based detection for anomalous Parquet file creation and cloud‑API enumeration.
Technical Notes — The malware drops a crafted Parquet file that lists cloud resources, then uses stolen credentials to query APIs (AWS, Azure, GCP). No public CVE is associated; the technique is a novel abuse of cloud‑native data formats. Source: Dark Reading