{"uuid": "ce174a05-e149-4cc0-9b8b-c667590e69f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-1357", "type": "seen", "source": "https://swecyb.com/ap/users/116080658609901341/statuses/116532717550218877", "content": "(sentinelone.com) PCPJack: A Credential Theft Framework Targeting Exposed Cloud Infrastructure and Evicting TeamPCP Artifacts\nNew threat actor framework PCPJack targets exposed cloud infrastructure for credential theft, systematically evicting TeamPCP artifacts. Leverages Telegram/Sliver C2, exploits CVEs (e.g., CVE-2025-55182, CVE-2026-1357), and propagates via Docker/Kubernetes/Redis/MongoDB/RayML.\nIn brief - PCPJack is a modular credential theft framework targeting cloud services, removing TeamPCP traces while harvesting credentials from .env files, IMDS, Kubernetes tokens, and wallets. Exfiltrates via Telegram, monetizing access rather than deploying cryptominers.\nTechnically - PCPJack uses `bootstrap.sh` to deploy Python payloads from S3, orchestrated by `monitor.py`. Modules include `_lat.py` (lateral movement via Kubernetes API/Docker socket/SSH), `_cu.py` (X25519/ChaCha20-Poly1305 encryption), and `_csc.py` (cloud scanning). Exploits React2Shell (CVE-2025-55182), Redis cron injection, and Common Crawl parquet files for target discovery. Sliver C2 beacons enable persistence and additional credential harvesting.\nSource: https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/\n#Cybersecurity #ThreatIntel", "creation_timestamp": "2026-05-07T10:15:43.282491Z"}