PCPJack Worm‑Like Credential Stealer Exploits 5 CVEs to Harvest Cloud Secrets Across Multiple Sectors
What Happened — Researchers uncovered a new credential‑theft framework named PCPJack that leverages five publicly disclosed CVEs to move laterally across mis‑configured cloud environments. The tool automatically harvests credentials from cloud platforms, container orchestrators, developer toolchains, productivity suites, and financial‑service applications, then exfiltrates the data to attacker‑controlled servers while attempting to erase any trace of the original “TeamPCP” malware.
Why It Matters for TPRM —
- Enables large‑scale credential exposure that can compromise downstream vendors and SaaS providers.
- Worm‑like propagation increases the attack surface across an entire cloud estate, not just a single host.
- Exploits known CVEs, meaning unpatched third‑party services become an easy entry point for supply‑chain attacks.
Who Is Affected — Cloud service providers, container‑orchestration platforms, DevOps tool vendors, productivity‑software vendors, and financial‑services SaaS providers.
Recommended Actions —
- Verify that all five CVEs are patched across every cloud asset and third‑party service.
- Conduct a comprehensive credential‑rotation program for cloud, API, and service accounts.
- Deploy continuous monitoring for anomalous credential‑harvesting activity and outbound data flows.
- Review and harden IAM policies, limiting the scope of service‑account permissions.
Technical Notes — Attack vector: exploitation of multiple CVEs (mis‑configuration and vulnerability‑exploit) to gain initial foothold, followed by credential‑stealing modules that target cloud IAM, container secrets, Git credentials, Office 365 tokens, and payment‑gateway APIs. Exfiltration occurs via encrypted channels to attacker‑controlled C2 infrastructure. Source: The Hacker News