SentinelLabs — PCPJack Cloud Worm Steals AI API Keys, Evicts TeamPCP
AI relevance: PCPJack specifically targets AI developer credentials — including OpenAI and Anthropic API keys — as part of a broad credential theft campaign against cloud infrastructure, and uses known CVEs including Next.js middleware bypass and React deserialization flaws to propagate.
What happened
- SentinelLabs discovered PCPJack, a new malware framework designed for large-scale credential theft from Linux-based cloud systems.
- The malware targets exposed Docker, Kubernetes, Redis, MongoDB, RayML, and web applications, then performs lateral movement within compromised environments.
- PCPJack steals credentials from cloud providers, developer platforms, databases, SSH keys, Slack tokens, WordPress configs — and specifically targets OpenAI and Anthropic API keys.
- The infected system actively hunts for and removes TeamPCP tooling (processes, services, containers, files, persistence artifacts), suggesting a turf war between rival operators.
- SentinelLabs believes PCPJack was likely developed by a former TeamPCP affiliate or member who splintered off after the group's high-profile supply-chain campaigns drew attention.
- PCPJack propagates by exploiting known vulnerabilities: CVE-2025-29927 (Next.js middleware auth bypass), CVE-2025-55182 "React2Shell" (React/Next.js Server Actions deserialization), CVE-2026-1357 (WPVivid Backup unauthenticated file upload), CVE-2025-9501 (W3 Total Cache PHP injection), and CVE-2025-48703 (CentOS Web Panel shell injection).
- It downloads hostname data from Common Crawl parquet files to generate new scanning targets, enabling autonomous expansion of its infection surface.
- Stolen credentials are encrypted with X25519 ECDH + ChaCha20-Poly1305, split into 2800-byte chunks, and exfiltrated via Telegram channels.
Why it matters
PCPJack represents the convergence of two critical AI security trends: attackers systematically harvesting AI platform API keys from compromised developer infrastructure, and the use of AI-framework-specific vulnerabilities (Next.js, React) as propagation vectors. AI API keys are high-value targets — they can be used for data exfiltration at scale, unauthorized model access, and billing fraud. The turf-war dynamic with TeamPCP also signals that AI infrastructure credential theft has become lucrative enough to spawn competing criminal operations.
What to do
- Rotate all AI platform API keys (OpenAI, Anthropic, etc.) stored on cloud-facing systems; use short-lived tokens where possible.
- Patch Next.js and React applications against CVE-2025-29927 and CVE-2025-55182 immediately.
- Audit exposed Docker, Kubernetes, Redis, and MongoDB instances; ensure they are not internet-reachable without authentication.
- Monitor for PCPJack indicators:
bootstrap.shscripts creating hidden working directories,monitor.pyorchestrator processes, and outbound Telegram API traffic from cloud servers. - Review TeamPCP-related IOCs as well — systems compromised by PCPJack may have been previously infected and are actively being contested.