HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

PCPJack Worm Harvests Cloud Credentials and Erases TeamPCP Infections

The PCPJack malware framework scans exposed Docker, Kubernetes, Redis, MongoDB and other cloud services, steals a wide range of credentials, and removes any existing TeamPCP artifacts to hide its presence. Its activity threatens any organization with mis‑configured cloud assets, making credential rotation and secret‑management critical for third‑party risk mitigation.

LiveThreat™ Intelligence · 📅 May 08, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

PCPJack Worm Harvests Cloud Credentials and Erases TeamPCP Infections

What Happened – A new malware framework named PCPJack is scanning exposed cloud services (Docker, Kubernetes, Redis, MongoDB, RayML, etc.), stealing credentials, and then deleting any existing TeamPCP artifacts to claim the foothold for itself. The stolen secrets (SSH keys, API tokens, database passwords, OpenAI/Anthropic keys, etc.) are encrypted and exfiltrated to Telegram channels.

Why It Matters for TPRM

  • Credential theft from mis‑configured cloud assets can cascade to downstream SaaS providers and partner ecosystems.
  • The worm’s “clean‑up” of TeamPCP traces makes detection harder, increasing the risk of silent, long‑term compromise.
  • Organizations that rely on third‑party cloud infrastructure or shared development environments may unknowingly expose privileged secrets.

Who Is Affected – Cloud‑focused SaaS vendors, MSPs, container‑orchestration platforms, database‑as‑a‑service providers, and any enterprise that runs Linux‑based workloads in public or hybrid clouds.

Recommended Actions

  • Conduct an immediate inventory of exposed cloud endpoints (open Docker/K8s APIs, unauthenticated Redis/MongoDB, etc.).
  • Enforce strict network segmentation and zero‑trust access controls for cloud management interfaces.
  • Rotate all compromised secrets (SSH keys, API tokens, cloud provider credentials) and implement automated secret‑scanning tools.
  • Deploy endpoint detection and response (EDR) on Linux workloads to spot the bootstrap.sh/monitor.py execution pattern.

Technical Notes – PCPJack propagates via a bootstrap.sh script that creates a hidden working directory, installs Python dependencies, and launches monitor.py. It checks for TeamPCP tooling and deletes related containers, files, and persistence mechanisms. Credentials are encrypted with X25519 ECDH + ChaCha20‑Poly1305, chunked to 2,800‑byte pieces, and sent to Telegram. The worm leverages publicly available scans of exposed services and Common Crawl parquet host lists to find new targets. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-pcpjack-worm-steals-credentials-cleans-teampcp-infections/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →