216.73.217.22

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

· Published 07/05/2026 23:33 · Modified 08/05/2026 09:21

Export JSON

Essential information

Published
07/05/2026 23:33
Modified
08/05/2026 09:21
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
container worm docker compromise kubernetes exploitation pcpjack sliver teampcp
Tags
2026-05-07 container worm docker compromise kubernetes exploitation pcpjack sliver teampcp
Related entities
5 vulnerabilities (cve), 4 indicators, 4 observables, 24 techniques (mitre), 2 malware, 2 others

Description

is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to , a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (5)

CVE-2025-9501
9.0 Critical

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …

Attack vector
NETWORK
Published
17/11/2025
Modified
08/05/2026
Awaiting Analysis
CVE-2025-48703 KEV
9.0 Critical

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …

Attack vector
Network
Published
04/11/2025
Modified
08/05/2026
Received
CVE-2026-1357
9.8 Critical

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …

Attack vector
Network
Published
11/02/2026
Modified
08/05/2026
Awaiting Analysis
CVE-2025-29927
9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector
NETWORK
Published
21/03/2025
Modified
21/12/2025
Received
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed

Indicators (4)

Observables (4)

  • lastpass-login-help.com
  • cdn.cloudfront-js.com
  • https://cdn.cloudfront-js.com:8443/u
  • e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a

Techniques (MITRE) (24)

Malware (2)

  • Sliver
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • PCPJack
    Family
    Published 07/05/2026 21:33 · Modified 07/05/2026 21:33

Others (2)

  • cdn.cloudfront-js.com
  • lastpass-login-help.com

External references