ACCORDING to SecurityWeek, a threat actor has launched PCPJack, a worm designed to evict TeamPCP infections and steal credentials, active since late April and targeting credentials across cloud environments such as AWS, Kubernetes and Docker. SentinelOne describes PCPJack as beginning with a Linux shell script that sets up the environment, fetches additional payloads and searches for processes and artifacts matching known TeamPCP infections to remove them.
The script then creates a Python virtual environment, downloads six modules from an AWS S3 bucket, renames them, establishes persistence, and launches the main framework orchestrator before deleting itself.
The remaining modules support credential parsing, lateral movement, C&C message encryption, cloud IP range lookups, and cloud scanning, with the framework capable of stealing .env files, environment variables, SSH keys, cryptocurrency wallets, credentials, and tokens for services including AWS, Kubernetes, Docker, Gmail, GitHub, Office 365/Outlook, RayML, Slack and WordPress.
PCPJack uses Telegram for C&C, and SentinelOne notes a second toolset of Sliver implants and credential theft across dozens of cloud services, including those targeted by PCPJack. Written by Ionut Arghire, the piece is dated 8 May 2026.