TL;DR

PCPJack is a credential-stealing worm that poses as a cleanup tool for TeamPCP infections — it genuinely removes TeamPCP malware from compromised hosts, but simultaneously steals all credentials and spreads itself. Disclosed May 2026 by SentinelLabs. Chains 5 CVEs to spread worm-like across Kubernetes, Docker, Redis, and MongoDB infrastructure. Critically, it also spreads by exploiting React2Shell (CVE-2025-55182) and Next.js (CVE-2025-29927) — meaning web apps using affected frameworks are lateral-movement entry points for cloud infrastructure compromise.

What happened

SentinelLabs identified PCPJack as a new malware framework distinct from TeamPCP, possibly developed by a former TeamPCP affiliate or member who started an independent operation. The "counter-worm" framing is deliberate deception: PCPJack genuinely removes TeamPCP's malicious processes and configurations, giving the victim false confidence that their system is clean, while PCPJack's own credential harvest runs in the background.

Attack capabilities

  1. System reconnaissance: identifies cloud provider, Kubernetes credentials (~/.kube/config), Docker socket, Redis/MongoDB connection strings, SSH keys.
  2. Credential theft: exfiltrates cloud IAM credentials (AWS, GCP, Azure), Kubernetes service account tokens, Docker registry creds, database connection strings, npm/GitHub tokens, and SSH private keys.
  3. Lateral movement: uses extracted credentials to propagate across: - Kubernetes clusters (via stolen kubeconfig / service-account tokens) - Docker hosts (via exposed Docker socket or stolen Docker credentials) - Redis and MongoDB deployments (via connection strings) - RayML environments (via stolen API credentials) - SSH key propagation to known hosts
  4. CVE-based spreading: downloads Parquet files from Common Crawl to identify internet-accessible targets, then exploits: - CVE-2025-29927 (Next.js) - CVE-2025-55182 (React2Shell CVSS 10.0 — React Server Components RCE) - CVE-2026-1357 (WPVivid Backup plugin) - CVE-2025-9501 (W3 Total Cache) - CVE-2025-48703 (CentOS Web Panel)
  5. TeamPCP cleanup: actively kills TeamPCP processes, deletes TeamPCP files, and revokes TeamPCP persistence — to reduce "noise" and avoid drawing attention to the host.

Vibe-coding relevance: React2Shell chain

PCPJack actively exploits CVE-2025-55182 (React2Shell, CVSS 10.0) to gain initial footholds. Any vibe-coded app running a vulnerable React Server Components setup (Next.js, Waku, React Router RSC, RedwoodSDK, Parcel RSC, Vite RSC plugin) that is not yet patched is a potential entry point into the developer's cloud infrastructure. The worm pivots from the web app into the cloud credentials it finds on the same host.

The 766+ hosts confirmed compromised by React2Shell through April 2026 are all potential PCPJack lateral-movement targets.

Am I affected?

# Is your React/Next.js app patched against React2Shell?
# Vulnerable: React <19.0.4/19.1.5/19.2.4, Next.js <15.5.18/<16.2.6
npm list react react-dom next 2>/dev/null | grep -E 'react|next'

# Check for PCPJack indicators on your host
# PCPJack commonly drops a "cleanup" script that writes to /tmp
ls -la /tmp/pcp* /tmp/.pcpjack* 2>/dev/null

# Check for unexpected Kubernetes context changes
kubectl config get-contexts 2>/dev/null

# Audit for unexpected Docker image pulls
docker events --since 24h 2>/dev/null | grep -i pull

High risk if: - You run React/Next.js apps with Server Components that are not patched to React ≥ 19.0.4 / Next.js ≥ 15.5.18. - Your web app server has cloud credentials (~/.aws, ~/.gcp, KUBECONFIG, etc.) accessible to the web process. - You run Kubernetes, Docker, Redis, or MongoDB in the same network segment as a web server.

If you are affected

  1. Patch React2Shell immediately: upgrade React to ≥ 19.0.4 and Next.js to ≥ 15.5.18 / ≥ 16.2.6.
  2. Rotate all cloud credentials the compromised host could access.
  3. Audit Kubernetes RBAC — check for unexpected service accounts or cluster-admin bindings.
  4. Check Redis / MongoDB access logs for unauthorized queries.
  5. Do not trust the absence of TeamPCP infections as a sign of a clean host — PCPJack cleans TeamPCP but persists itself.

Prevention

prevention/agent-sandboxing.mdprevention/ci-cd-hardening.md

  • Patch React/Next.js against CVE-2025-55182 now. This is CISA KEV.
  • Never run web app processes with access to cloud IAM credentials, Kubernetes configs, or Docker sockets. Use separate service accounts with minimal permissions.
  • Network-segment your databases — Redis and MongoDB should not be reachable from web app hosts.
  • Treat a "cleaned" host as still compromised until full incident response confirms otherwise.

June 2026 escalation — 230-node SMTP relay

PCPJack has weaponized its credential harvest into a covert SMTP relay network. As of June 2026, SentinelLabs researchers found that PCPJack hijacked 230 AWS, Google Cloud, and Azure servers — all compromised via stolen cloud IAM credentials from prior waves — and quietly converted them into SMTP mail proxies. The relay network syncs verified outbound-mail-capable proxies to a downstream consumer every five minutes, providing a scalable, constantly-refreshing spam/phishing infrastructure sourced entirely from legitimate enterprise cloud accounts.

Key implications for defenders: - PCPJack is not just a credential harvester — it is now monetizing stolen cloud access as SMTP-as-a-Service for downstream threat actors. - If your AWS/GCP/Azure accounts were exposed in any prior Miasma/GlassWorm/Megalodon/Shai-Hulud wave, assume they may be enrolled in this relay network. - Detection: unusual SMTP traffic (port 25/587) from EC2/Compute Engine/Azure VM instances that do not run mail servers; unexpected IAM role usage for network egress.

Source: The Hacker News — "PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network"

Sources