Published on May 8, 2026
New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft
Severity
High
Detail
A newly discovered malware framework called “PCPJack” is actively targeting cloud environments by scanning for exposed Docker, Kubernetes, Redis, MongoDB, and RayML services. Researchers identified the malware as a credential theft framework with worm-like propagation capabilities designed to spread across cloud infrastructure and steal sensitive credentials at scale. Unlike many cloud-focused malware campaigns, PCPJack does not deploy cryptocurrency miners. Instead, the threat actor appears focused on credential theft, financial fraud, and unauthorized access to cloud and enterprise environments.
Researchers at SentinelOne discovered that the malware begins its infection chain using a shell script named bootstrap.sh. The script silently executes on Linux-based cloud systems, installs Python dependencies, downloads additional malicious modules, establishes persistence, and launches the main malware orchestrator.
One of PCPJack’s unique behaviors is its attempt to detect and remove infections linked to another threat group known as TeamPCP. Researchers believe the operator behind PCPJack may be a former TeamPCP member due to similarities observed between both campaigns.
According to Alex Delamotte, the malware harvests credentials from cloud services, developer environments, productivity platforms, and financial applications before exfiltrating the data to attacker-controlled infrastructure.
The malware targets a wide range of sensitive information, including:
- SSH private keys
- Slack tokens
- WordPress database credentials
- OpenAI and Anthropic API keys
- Cloud provider credentials
- Cryptocurrency wallet files
- Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password credentials
Before exfiltration, PCPJack encrypts stolen data using X25519 ECDH and ChaCha20-Poly1305 encryption algorithms and sends the information to attacker-controlled Telegram channels in smaller chunks to bypass message size limits.
How?
PCPJack spreads by scanning internet-facing infrastructure for exposed or vulnerable services such as Docker, Kubernetes, Redis, MongoDB, and RayML. The malware uses hostname data collected from Common Crawl parquet files to identify large numbers of potential targets without relying on hardcoded victim lists.
Once a vulnerable system is identified, the worm exploits multiple publicly known vulnerabilities to gain access, including:
- CVE-2025-29927 – Authentication bypass in Next.js middleware
- CVE-2025-55182 – React and Next.js deserialization flaw (“React2Shell”)
- CVE-2026-1357 – Unauthenticated file upload vulnerability in WPVivid Backup
- CVE-2025-9501 – PHP injection flaw in W3 Total Cache
- CVE-2025-48703 – Shell injection vulnerability in CentOS Web Panel
After successful compromise, the malware harvests credentials, enumerates Docker and Kubernetes environments, steals SSH keys, and spreads laterally to additional reachable systems.
Researchers also identified a Sliver-based backdoor deployed by the attackers to maintain persistent remote access. The backdoor is disguised by using filenames such as update[.]bin, update-386[.]bin, and update-arm[.]bin to blend in with legitimate system maintenance files.
Affected Product:
The malware specifically targets exposed or vulnerable deployments of:
- Docker
- Kubernetes
- Redis
- MongoDB
- Next.js
- React
- CentOS Web Panel
- WordPress
- WPVivid Backup
- W3 Total Cache
Mitigation
Organizations should immediately secure exposed Docker, Kubernetes, Redis, MongoDB, and RayML services from public internet access and apply all relevant security patches for vulnerable applications.
Security teams are advised to:
- Enable multi-factor authentication (MFA) across all cloud and administrative accounts
- Enforce authentication on Docker and Kubernetes API endpoints
- Use IMDSv2 in AWS environments to reduce metadata theft risks
- Apply least-privilege access controls
- Avoid storing secrets or credentials in plaintext
- Regularly audit environment variables and configuration files for exposed credentials
- Monitor for suspicious outbound connections to Telegram infrastructure or unusual credential access activity
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
| URL | hxxps://spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com | Payload hosting infrastructure |
| URL | hxxps://cdn[.]cloudfront-js[.]com:8443/u | Credential exfiltration endpoint |
| File | bootstrap[.]sh | Initial malware dropper |
| File | monitor[.]py | Main malware orchestrator |
| File | extractor[.]py | Credential harvesting module |
| File | update[.]bin | Sliver backdoor for x86_64 systems |
| File | update-386[.]bin | Sliver backdoor for x86 systems |
| File | update-arm[.]bin | Sliver backdoor for ARM systems |
| Domain | lastpass-login-help[.]com | Domain in TLS certificate from PCPJack infrastructure IP 38[.]242[.]245[.]147 |
| IP Address | 161[.]97[.]129[.]25 | Hardcoded attacker infrastructure IP in bootstrap.sh |
| Directory | /var/lib/.spm/ | Hidden malware working directory |
Conclusion
PCPJack demonstrates the growing sophistication of cloud-focused malware targeting exposed infrastructure and sensitive enterprise credentials. Its worm-like propagation, broad credential harvesting capabilities, and use of persistent backdoors make it a significant threat to cloud, containerized, and enterprise environments. Organizations should immediately review exposed services, strengthen cloud security configurations, monitor for suspicious activity, and apply security updates to reduce the risk of compromise.
Source
https://cybersecuritynews.com/new-pcpjack-worm-targets-docker/
https://cyberpress.org/pcpjack-targets-cloud-infrastructure/