Executive Summary
In May 2026, cybersecurity researchers uncovered PCPJack, a sophisticated credential theft framework targeting exposed cloud infrastructures. The toolset infiltrates services such as Docker, Kubernetes, Redis, MongoDB, and RayML, harvesting credentials from cloud, container, developer, productivity, and financial services. It exfiltrates the stolen data through attacker-controlled infrastructure and propagates in a worm-like fashion by exploiting known vulnerabilities, including CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Notably, PCPJack removes artifacts linked to the threat actor TeamPCP from compromised environments, suggesting a possible connection or rivalry between the two groups. The campaign's primary objective appears to be generating illicit revenue through credential theft, fraud, spam, extortion, or resale of stolen access.
This incident underscores the evolving threat landscape in cloud security, highlighting the increasing sophistication of attacks targeting cloud infrastructures. Organizations must remain vigilant, ensuring timely patching of known vulnerabilities and implementing robust security measures to protect against such credential theft campaigns.
Why This Matters Now
The emergence of PCPJack highlights the urgent need for organizations to secure their cloud infrastructures against sophisticated credential theft campaigns that exploit known vulnerabilities and propagate rapidly across systems.
Attack Path Analysis
The PCPJack credential stealer infiltrated cloud environments by exploiting vulnerabilities in widely used security tools, leading to unauthorized access and credential harvesting. The attackers escalated privileges by leveraging stolen credentials to gain higher-level access within the compromised systems. They moved laterally across cloud infrastructures, targeting additional services and resources to expand their foothold. Establishing command and control channels, they maintained persistent access and orchestrated further malicious activities. Sensitive data, including credentials from various services, was exfiltrated to attacker-controlled infrastructure. The impact included unauthorized access to critical systems, potential data breaches, and disruption of cloud services.
Kill Chain Progression
Initial Compromise
Description
The attackers infiltrated cloud environments by exploiting vulnerabilities in widely used security tools, such as Trivy and Telnyx, embedding malicious code to gain unauthorized access.
Related CVEs
CVE-2026-33634
CVSS 8.8A supply chain vulnerability in Checkmarx GitHub Actions allows attackers to inject malicious code, leading to credential theft from CI/CD environments.
Affected Products:
Checkmarx GitHub Actions – Affected versions not specified
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Credentials from Password Stores: Windows Credential Manager
Brute Force: Credential Stuffing
Valid Accounts
Exploit Public-Facing Application
Exploitation for Client Execution
Application Layer Protocol: Web Protocols
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security patches are installed within one month of release
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
PCPJack credential stealer directly targets cloud infrastructure, containers, and developer environments, compromising IT systems through CVE exploits and worm-like propagation across multi-cloud deployments.
Financial Services
Framework specifically harvests credentials from financial services platforms, threatening PCI compliance through lateral movement and data exfiltration across cloud-based banking and payment systems.
Computer Software/Engineering
Developer productivity tools and container environments face direct targeting, with credential theft enabling privilege escalation and unauthorized access to software development infrastructure and repositories.
Banking/Mortgage
Cloud-based banking systems vulnerable to credential harvesting attacks that exploit infrastructure CVEs, potentially compromising customer data and violating HIPAA/PCI compliance requirements.
Sources
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systemshttps://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.htmlVerified
- When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Campaignhttps://www.sans.org/blog/when-security-scanner-became-weapon-inside-teampcp-supply-chain-campaignVerified
- Checkmarx supply chain compromise exposes CI/CD secretshttps://orca.security/resources/blog/checkmarx-supply-chain-compromise-ci-cd-secrets/Verified
- TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentialshttps://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained, potentially reducing the scope of unauthorized entry points.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, potentially reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been constrained, potentially reducing the reachability to additional services and resources.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could have been limited, potentially reducing the scope of persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been constrained, potentially reducing the scope of data loss.
The overall impact of the attack could have been limited, potentially reducing the scope of unauthorized access and data breaches.
Impact at a Glance
Affected Business Functions
- CI/CD Pipelines
- Software Development
- Cloud Infrastructure Management
Estimated downtime: 14 days
Estimated loss: $500,000
Compromise of CI/CD pipeline secrets, including cloud provider credentials, SSH keys, and API tokens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within cloud environments.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud platforms.
- • Deploy Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
- • Regularly update and patch security tools to mitigate vulnerabilities exploited by attackers.
