PCPJack credential stealer chains 5 CVEs to worm through Docker, Kubernetes, Redis, and RayML
Contents
TL;DR
Impact Cloud environments exposing Docker, Kubernetes, Redis, MongoDB, RayML, or public web apps to external or internal networks
Action Patch the listed CVEs, verify auth on Docker API and Kubernetes API, enforce IMDSv2, rotate .env secrets, SSH keys, and cloud credentials
IOCs /var/lib/.spm, harvest.jsonl, sys-monitor.service, cdn[.]cloudfront-js[.]com, spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com
SentinelOne published a report on PCPJack, a framework that moves across cloud environments stealing credentials.
It is not a single-CVE exploit. Once it compromises a host, it fans out to Docker, Kubernetes, Redis, MongoDB, and RayML on the same or reachable networks.
The Hacker News headline highlighted “5 CVEs exploited worm-like,” but reading the SentinelOne report, the CVE count is not the interesting part.
PCPJack first removes TeamPCP artifacts, then sweeps .env files, SSH keys, cloud metadata, Kubernetes Secrets, and Docker Secrets. It behaves more like a hostile takeover of already-compromised cloud infrastructure.
Starts by replacing TeamPCP
The entry point is bootstrap.sh.
It creates a working directory at /var/lib/.spm/ on Linux, installs Python and dependencies, and pulls six Python modules from an attacker-controlled S3 bucket.
That much is standard for cloud malware.
What stands out is the first action: hunting and killing processes, files, services, and containers tied to TeamPCP or PCPCat.
SentinelOne notes that compromised hosts report a PCP replaced field back to C2, indicating whether the eviction succeeded.
This is different from TeamPCP’s earlier LiteLLM PyPI supply-chain attack or the telnyx Python SDK WAV steganography poisoning, which targeted CI/CD pipelines and package distribution to steal developer credentials and AI app API keys.
PCPJack skips the supply chain and goes straight for cloud management surfaces already exposed on the network.
Attribution is not confirmed.
SentinelOne describes the operator as possibly “a former TeamPCP member or at least someone intimately familiar with their tooling.”
Dropping TeamPCP’s minor features, removing the cryptominer, and focusing exclusively on credentials suggests a competitor carving out the same market.
Targets cloud operations directly
monitor.py is the main orchestrator. It handles local credential harvesting, module coordination, and outward propagation.
Harvested items include .env files, config files, environment variables, SSH private keys, AWS IMDS credentials, Kubernetes service account tokens, Docker Secrets, and cryptocurrency wallets.
A separate check.sh toolset drops a Sliver beacon (a remote-access implant) while also searching for Anthropic, DigitalOcean, Discord, Google API, Grafana Cloud, HashiCorp Vault, 1Password, and OpenAI keys.
Any deployment that stores LLM API keys in environment variables is directly exposed.
graph TD
A[Compromise exposed<br/>web app or service] --> B[bootstrap.sh creates<br/>/var/lib/.spm]
B --> C[Remove TeamPCP<br/>artifacts]
C --> D[Deploy monitor.py and<br/>auxiliary modules]
D --> E[Harvest .env, SSH keys,<br/>cloud credentials]
E --> F[Lateral movement to Docker,<br/>Kubernetes, Redis, RayML, MongoDB]
F --> G[Exfiltrate to Telegram<br/>and external servers]The earlier React2Shell campaign already showed Next.js hosts yielding DB credentials, SSH keys, and AWS/Stripe/GitHub tokens.
PCPJack extends that pattern beyond Next.js, packing web-app CVEs, Docker API access, Kubernetes service accounts, Redis cron rewrite, and RayML job injection into a single framework.
The 5 CVEs used for initial access
For external propagation, PCPJack pulls hostnames from Common Crawl parquet data and distributes scanning across infected nodes.
There is no central target list; each node discovers candidates on its own.
SentinelOne lists these CVEs:
| CVE | Target | Description |
|---|---|---|
| CVE-2025-29927 | Next.js | Middleware auth bypass |
| CVE-2025-55182 | React / Next.js | Server Actions deserialization, React2Shell |
| CVE-2026-1357 | WPVivid Backup | Unauthenticated file upload |
| CVE-2025-9501 | W3 Total Cache | PHP injection via cached mfunc comment |
| CVE-2025-48703 | CentOS Web Panel | Shell injection in Filemanager changePerm |
On their own, these are known web-app vulnerabilities.
The real payload is what happens after initial access. From the application container, PCPJack probes Docker socket, Kubernetes API, Redis, MongoDB, RayML, and SSH in sequence, looking for any reachable management surface.
On Kubernetes, it connects to the API using the pod’s service account token, enumerates namespaces and pods, reads Secrets and ConfigMaps, and base64-decodes the contents.
Even if RBAC blocks pod exec, credentials leak if the service account retains Secret read permissions.
On Docker, it checks /var/run/docker.sock and ports 2375/2376.
If the management API is reachable, it lists containers, bind-mounts the root filesystem, and accesses the host.
The question is not whether Docker is running locally, but where the socket or TCP API sits relative to trust boundaries.
Redis gets KEYS and GET to harvest token-like values, plus cron rewrite for re-infection every five minutes.
RayML gets jobs submitted on port 8265, and MongoDB on port 27017 gets its stored credentials drained.
Internal networks reachable from a compromised host are in scope, not just public-facing services.
Cloud malware without a cryptominer
Most cloud-targeting malware drops XMRig on compromised CPUs.
PCPJack does not. It strips TeamPCP’s miner, targets cryptocurrency wallet and exchange credentials, but does not abuse compute resources directly.
That gap affects detection.
Monitoring only for CPU spikes or mining-pool traffic misses PCPJack’s core activity.
What to watch instead: outbound connections to S3 and cdn[.]cloudfront-js[.]com, Telegram Bot API traffic, unusual Kubernetes Secret enumeration, Docker API container creation, Redis config rewrites, and RayML job submissions.
AI development workloads are in scope too.
As covered in the Marimo CVSS 9.3 pre-auth RCE and Astral’s uv supply-chain defense article, exposed notebooks and dev tools tend to colocate .env files and cloud keys.
PCPJack sweeps for exactly those scattered secrets.
Where to look if you assume breach
SentinelOne’s IOCs include /var/lib/.spm, /tmp/.origin, harvest.jsonl, and the systemd unit sys-monitor.service on the filesystem.
Outbound indicators include spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com, cdn[.]cloudfront-js[.]com, and lastpass-login-help[.]com.
Cleaning up the host alone is not enough.
The credentials PCPJack targets all extend privileges beyond the host: DB passwords from .env, SSH keys, AWS access keys, Kubernetes service accounts, Docker registry credentials, and OpenAI/Anthropic API keys should all be treated as compromised.
On AWS, enforce IMDSv2 so temporary credentials cannot be fetched via IMDSv1.
On Kubernetes, restrict automatic service account token mounting and avoid granting broad Secret read permissions.
Keep Docker’s TCP API unexposed; if external access is necessary, require TLS client certificates.
Redis and MongoDB should require authentication even inside internal networks.
Beyond patching PCPJack’s specific CVEs, the hardening work is about eliminating exposed management surfaces and long-lived credentials.
For CI/CD long-lived tokens, Trusted Publishing and OIDC workflows apply.
On the runtime side, move secrets into Secret Manager or Vault so plaintext keys do not sit on the application filesystem.