PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

Researchers disclosed a new credential stealer framework called PCPJack that exploits five unpatched vulnerabilities to propagate across cloud environments. The malware targets exposed cloud infrastructure, container systems, developer tools, and productivity platforms to harvest credentials from multiple service categories including financial applications.

PCPJack operates as a worm-like threat, spreading laterally across networked systems while actively removing artifacts from TeamPCP, a competing threat actor framework. The malware extracts credentials from cloud services, containerized environments, developer platforms, and financial applications, then exfiltrates the stolen data through attacker-controlled infrastructure.

The five CVEs exploited by PCPJack remain unpatched in many deployments, allowing the malware to move between systems without user interaction. This lateral movement capability makes PCPJack particularly dangerous in environments running multiple cloud services or containerized workloads without current security patches.

Organizations using cloud infrastructure, Kubernetes clusters, or developer-focused SaaS platforms face direct risk from PCPJack. The credential theft targets multiple service types simultaneously, meaning a single infection can compromise access to cloud platforms, container registries, GitHub credentials, Slack tokens, and financial services simultaneously.

The removal of TeamPCP artifacts suggests PCPJack operators actively compete with other threat groups for control of compromised environments. This indicates PCPJack targets the same victim base as other credential-stealing campaigns, specifically cloud-native organizations.

The threat requires immediate action. Teams should patch all five affected CVEs across cloud instances, container platforms, and development environments. Credential rotation for any systems accessible from cloud infrastructure is necessary. Cloud accounts should enforce multi-factor authentication. Monitor for suspicious lateral movement and credential access patterns in cloud audit logs and container runtime activity.

THE BOTTOM LINE: PCPJack exploits unpatched cloud infrastructure vulnerabilities to steal credentials at scale, making rapid patching