TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Сloud Security After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets by Nate Nelson May 7, 2026 4 Min Read Application Security 'TrustFall' Convention Exposes Claude Code Execution Risk 'TrustFall' Convention Exposes Claude Code Execution Risk by Jai Vijayan May 7, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Сloud Security Threat Intelligence Cyber Risk Application Security News After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets PCPJack makes innovative use of parquet files for stealthy, pre-validated target discovery as it canvasses multiple cloud environments. Nate Nelson , Contributing Writer May 7, 2026 4 Min Read Source: North Wind Picture Archives via Alamy Stock Photo Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker "TeamPCP," free of charge. The catch: It wants your secrets. SentinelLabs named the program " PCPJack " in a new blog post, and described it as "well developed" — effective, with a few inexplicable but superficial oddities. Affected organizations stand to lose secrets associated with their cloud, container, developer, productivity, and financial services, unless they implement cloud security best practices, concealing passwords and keys behind vaults and multifactor checks. What to Know About PCPJack In many ways, PCPJack reflects the malware it's built to root out: It scans for open and exploitable cloud services , performs broad sweeps for valuable credentials, then rinses and repeats. Initial entry is managed by a module called "bootstrap." Besides establishing persistence and downloading the malware's other Python modules, it spares no time in searching for and rooting out any processes belonging to TeamPCP. Related: If AI's So Smart, Why Does It Keep Deleting Production Databases? The main orchestrator script, "monitor," runs next and begins collecting system metrics, similar to a benign system monitoring utility. Though this data is of use to the attacker, researchers believe the primary purpose of this scan is to disguise the malware from onlookers. The module then starts stealing local configuration and environment files, and a variety of cloud, container, and cryptocurrency wallets, tokens, and keys . The mass of secrets stolen by monitor.py then passes to a module called "utils," which sorts through and categorizes it. Besides those cloud services already named, PCPJack targets email services — Gmail, Microsoft Outlook, Mailchimp — and other popular, miscellaneous cloud applications — AWS, GitHub, Slack, WordPress — as well as the most widely known names in crypto: currencies like Bitcoin and Ethereum, exchanges like Coinbase and Binance, fintech services like Stripe. As SentinelLabs notes, organizations that conceal their secrets in vaults, require multifactor authentication (MFA) for service accounts, and generally implement good cloud security hygiene can save themselves from the worst of what PCPJack and TeamPCP can do. PCPJack's Best, and Missing, Features PCPJack moves laterally both inside of a network and to other targets. It hacks into exposed cloud services to steal secrets, and steals secrets to hack into more cloud services. The script which handles lateral movement inside of a network, "lat," uses newly stolen secrets to gain access to Kubernetes environments , Docker containers, Redis, remote machines via SSH, and the list goes on. Related: TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack The external propagation logic is more novel. The malware's orchestrator module downloads parquet files from Common Crawl, a nonprofit service popular in data analytics and artificial intelligence (AI) development, which crawls and collects data from the open Web. The malware then scans through this open source (OSS) data for potential targets, and a module called "csc" does the grunt work of exploiting known vulnerabilities to get in. PCPJack also keeps track of which hosts it has already scanned, and prevents multiple instances of itself from scanning the same hosts. "PCPJack's most novel feature is the use of parquet files for finding new targets," says Alex Delamotte, senior threat researcher at SentinelLabs. "The toolset uses Common Crawl's parquet files for less noisy, pre-validated target discovery. Unlike aimless scanning, it filters for hosts with valid HTTP responses and allows operators to customize targeting by overriding the parquet index for targeted attacks. To my knowledge, no other tools have used parquet files like this." Unexpectedly, PCPJack contains no cryptomining functionality . In the niche of cloud cybercrime, SentinelLabs wrote, nearly everyone deploys XMRig, or something equivalent, to suck targets of their lucrative computing power. For Delamotte, "The absence of cryptomining suggests the actor prioritizes quick payoffs through stealing credentials and wallets over long-term resource exploitation. While credential and wallet theft require development upfront to automate validation, they provide faster returns than mining, which carries higher detection and eviction risks." Related: UNC6692 Combines Social Engineering, Malware, Cloud Abuse Hackers vs. Hackers Threat actors have long built mechanisms into their malware designed to delete other malware infections on targeted systems, or at least "close the door behind them" once their malware is inside. Some kinds of malware — like botnets, and cryptominers — demand significant computing resources, which competing programs can eat away at. Cybercriminals might also not want to share in their good fortunes, or raise the risk of attention from security teams if another program on the same system is being too loud. PCPJack is different: it doesn't target all other malware more broadly, it targets TeamPCP's tooling specifically. TeamPCP is a high-profile, fast-growing threat group, but it's hardly the Morris worm — even a tool targeting similar services like PCPJack does is unlikely to run into it in the wild very often. This initially led SentinelLabs researchers to wonder if PCPJack was actually deployed by a researcher trying to fight TeamPCP infections. The malware's other payloads quickly dispelled them of that guess. SentinelLabs now speculates that PCPJack might have been created by somebody formerly involved with TeamPCP, who's intimately familiar with its tactics, techniques, and procedures (TTPs). Rivalries aren't rare among cybercriminals, and this theory does square with notable yet inconclusive details of both groups' timelines. On April 19, just before its X account got suspended, TeamPCP made a post that alluded to threat actor "identity theft": Source: SentinelLabs According to Delamotte, evidence from the attacker's infrastructure suggests that the PCPJack campaign began the week of April 20. About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars Editor's Choice Threat Intelligence From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber by Dark Reading Editorial Team May 6, 2026 31 Min Read Cyber Risk Physical Cargo Theft Gets a Boost From Cybercriminals Physical Cargo Theft Gets a Boost From Cybercriminals by Robert Lemos May 4, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars Anatomy of a Data Breach: What to Do if it Happens to You June 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ET How Well Can You