PCPJack Is Scanning Your Docker, Redis, and MongoDB Instances for Credentials#

SentinelLabs published a report today on a new malware framework called PCPJack. It scans external cloud infrastructure for exposed services, exploits known vulnerabilities to gain access, and steals credentials at scale. The targeted services include Docker, Kubernetes, Redis, and MongoDB.

All four are covered by Attestd.

What PCPJack does#

PCPJack infects Linux-based cloud systems via a shell script called bootstrap.sh. On execution it creates a hidden working directory, installs Python dependencies, downloads additional modules, establishes persistence, and launches a main orchestrator called monitor.py.

It then scans for exposed services across external cloud infrastructure. When it finds a vulnerable instance, it gains access, moves laterally by harvesting SSH keys and credentials, enumerates Kubernetes clusters and Docker daemons, and executes itself on reachable internal hosts. Persistence is established via systemd services, cron jobs, Redis cron rewrites, or privileged containers.

The credentials it targets include cloud provider access (AWS, Azure, GCP), Docker and Kubernetes configurations, SSH keys, Slack tokens, WordPress configs, and explicitly named AI service credentials: OpenAI API keys and Anthropic API keys.

Collected credentials are encrypted using X25519 ECDH and ChaCha20-Poly1305, split into 2800-byte chunks to respect Telegram message limits, and exfiltrated to Telegram channels.

The infrastructure layer is the target#

PCPJack's scanning targets are the services that sit beneath the application layer: Docker daemons, Kubernetes clusters, Redis instances, and MongoDB deployments. These do not appear in a requirements.txt or a package.json. They are infrastructure, and most dependency scanning tools do not reach them.

The vulnerabilities PCPJack exploits to gain initial access include CVE-2025-55182 (React2Shell, an unauthenticated RCE in the React Server Components Flight protocol affecting React 19 and Next.js deployments, CVSS 10.0, actively exploited since December 2025), CVE-2025-29927 (authentication bypass in Next.js middleware), and several others affecting web applications and content management systems.

Once inside, the tooling pivots to whatever services are reachable on the network. The initial web application vulnerability is the door. Docker, Kubernetes, Redis, and MongoDB are what it is after.

What Attestd returns for the targeted services#

The four infrastructure services PCPJack scans for are all covered products. Here is what vulnerable version checks look like:

# Docker Engine
curl "https://api.attestd.io/v1/check?product=docker_engine&version=19.03.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# Redis
curl "https://api.attestd.io/v1/check?product=redis&version=6.0.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# MongoDB
curl "https://api.attestd.io/v1/check?product=mongodb&version=4.0.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# Kubernetes API Server
curl "https://api.attestd.io/v1/check?product=kube_apiserver&version=1.24.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Or with the JavaScript SDK:

import { Client } from '@attestd/sdk';
 
const client = new Client({ apiKey: process.env.ATTESTD_API_KEY });
 
const infrastructure = [
  { product: 'docker_engine', version: '19.03.0' },
  { product: 'redis', version: '6.0.0' },
  { product: 'mongodb', version: '4.0.0' },
  { product: 'kube_apiserver', version: '1.24.0' },
];
 
for (const { product, version } of infrastructure) {
  const result = await client.check(product, version);
  if (result.riskState !== 'none') {
    console.log(`${product}@${version}: ${result.riskState}`);
    if (result.fixedVersion) {
      console.log(`  Fix: ${result.fixedVersion}`);
    }
  }
}

The TeamPCP connection#

SentinelLabs attributes PCPJack to a former TeamPCP affiliate or member who started their own operation. The overlap is technical: PCPJack's initial framework resembles early TeamPCP tooling from December 2025, before the high-visibility campaigns of early 2026 brought attention to the group.

What is notable is how PCPJack treats TeamPCP infections it finds. It does not work alongside them. It removes them entirely, cleaning TeamPCP processes, services, containers, files, and persistence artifacts before establishing its own foothold. Two threat actor operations are competing for the same compromised infrastructure.

TeamPCP's campaigns are what motivated Attestd's supply chain monitoring layer. The LiteLLM attack on March 24 was the first. The Bitwarden CLI attack on April 22 used the same C2 infrastructure. PCPJack is a fork of that operation, now targeting infrastructure products directly rather than the supply chain.

The pattern across all of these campaigns is consistent: AI developer infrastructure is the target. Cloud credentials, Kubernetes configurations, and AI service API keys are what the attackers want. Whether the initial vector is a compromised PyPI package, a vulnerable npm release, or an exposed Docker daemon, the payload is the same category of theft.

What to check#

If you run Docker, Redis, MongoDB, or Kubernetes and any of them are reachable from the internet without authentication, treat them as potential targets. PCPJack specifically looks for exposed services without proper authentication controls.

The immediate actions SentinelLabs recommends: enforce MFA, use IMDSv2 in AWS, ensure proper authentication for Docker and Kubernetes services, follow least-privilege principles, and avoid storing secrets in plaintext.

For version-level CVE exposure across all four services, check each against Attestd before assuming your version is clean. The full product reference is at attestd.io/docs/products.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.