GoKawiilA new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems.
Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In many cases, the threat actor moves laterally on the network.
SentinelLabs researchers say that PCPJack appears designed for large-scale credential theft, and likely monetizes its activity via financial fraud, spam operations, credential resale, or extortion.
TeamPCP is a cloud-focused threat group known for high-profile supply-chain breaches against Aqua Security’s Trivy scanner, the LiteLMM and Telnyx PyPI packages, and more recently, SAP npm packages.
Because of the similarities with TeamPCP attacks, SentinelLabs believes that PCPJack may have been developed by a former TeamPCP affiliate or member that started their own operation.
“Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025, before the high-visibility campaigns of early 2026 brought significant attention to TeamPCP and purportedly led to changes in group membership,” explain the researchers.
“We believe this could be a former operator who is deeply familiar with the group’s tooling.”
In a report today, SentinelLabs says that PCPJack infects Linux-based cloud systems using a shell script called bootstrap.sh.
Upon execution, it creates a hidden working directory, installs Python dependencies, downloads additional modules, establishes persistence, and launches the main orchestrator (monitor.py).
During this initial stage, PCPJack explicitly checks for TeamPCP tooling and attempts to delete everything, thus claiming the compromise for themselves.
... continue reading