New 'PCPJack' worm hunts down and removes competing malware before stealing cloud credentials - exploits five different vulnerabilities to spread

BleepingComputer and The Hacker News disclosed a new credential-stealing worm called PCPJack that hunts and removes the well-established TeamPCP malware family before installing itself - the first observed case of one cybercrime operation systematically displacing another at scale. PCPJack exploits five separate vulnerabilities to spread worm-like across cloud and Linux environments, then steals SSH keys, AWS credentials, GitHub tokens, and other secrets. Operators replace TeamPCP files in place rather than just disabling them, suggesting an attempt to inherit TeamPCP's existing victim base. The pattern signals a maturing cybercrime market.

Check

Search EDR and cloud logs for sudden disappearance of TeamPCP indicators on hosts that previously had them - that is the likely PCPJack handover signature. Hunt for outbound credential-theft traffic patterns matching the five CVEs PCPJack exploits.

Affected

Linux servers, cloud workloads (AWS, GCP, Azure), and CI/CD runners that previously had TeamPCP cryptominer infections. Any host running unpatched versions of the five CVEs PCPJack exploits is in scope. Cloud accounts where SSH keys, IAM access keys, or GitHub tokens are stored on compromised workloads face credential-theft escalation.

Fix

Patch all five CVEs PCPJack exploits per the Wiz and Datadog IoC publications. Rotate cloud credentials, SSH keys, and GitHub tokens on any host that may have had TeamPCP - do not assume TeamPCP cleanup means safety. Block PCPJack C2 domains at egress. Shift to short-lived IAM credentials via OIDC and remove static keys from VMs entirely.