pcpcats: A Cloud-Native Cybercrime Operation
pcpcats is a financially motivated hacking group that emerged in late 2025, known for large-scale, automated attacks on cloud infrastructure and open-source supply chains. The group focuses on exploiting misconfigurations and known vulnerabilities to build self-propagating botnets used for credential theft, data exfiltration, proxy networks, cryptocurrency mining, and extortion.0
It maintains a public presence primarily through the @pcpcats handle on X and associated Telegram channels for data leaks and updates.
List of Major Attacks and Campaigns
1. Operation PCPcat / React2Shell Campaign (December 2025)
- Targets: Exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React/Next.js applications vulnerable to React2Shell (CVE-2025-29927).
- Method: Automated scanning with tools like pcpcat.py and react.py; RCE via prototype pollution and command injection; deployment of malicious containers with Base64 payloads.
- Scale: Tens of thousands of servers compromised (estimates of 59,000–60,000 in under 48 hours).
- Outcomes: Credential harvesting, persistence via systemd units, tunneling, data theft, and infrastructure for further attacks. Signatures included “UwU PCP Cat was here~”. Victims spanned multiple countries including the US, Canada, South Korea, Serbia, and UAE.1619
2. JobsGO.vn Data Breach (Claimed January 2026)
- Target: Vietnamese online recruitment platform.
- Method: Exploitation leading to exfiltration of over 2 million records (personal and professional data).
- Outcomes: Data published via affiliated leak channels.15
3. Supply Chain Attacks (March–June 2026)
The group conducted cascading compromises across package ecosystems (NPM, PyPI, OpenVSX, etc.):
- Aqua Security Trivy (March 2026): Malware injected into the vulnerability scanner, affecting downstream CI/CD pipelines.
- Checkmarx KICS, LiteLLM (high download volume), Telnyx, and dozens of additional packages.
- TanStack and related ecosystems (e.g., Mini Shai-Hulud worm).
- Nx Console and VS Code extensions leading to GitHub internal compromise.
- Method: Poisoned packages with credential-stealing malware; harvested secrets used for lateral movement into AWS and other clouds.
- Scale: Hundreds of packages affected; thousands of downstream organizations impacted; hundreds of GB of data exfiltrated (self-reported figures exceed 300 GB and ~500,000 credentials in some summaries).7381
Notable Victim Organizations/Impacts (Partial List):
- Mercor (AI startup): Multi-TB exfiltration including source code and personal data.
- European Commission infrastructure (via supply chain).
- GitHub: Access to ~3,800 internal repositories (May 2026).
- Various open-source projects and enterprises using compromised tools (OpenAI employee devices reported in some chains, among others).79
Additional waves included further npm/PyPI poisoning, Kubernetes targeting (e.g., CanisterWorm with wiper components in some cases), and ongoing cloud credential harvesting.
Federal Investigations
As of the latest available public information (June 2026), there are no confirmed ongoing federal investigations, indictments, or arrests publicly linked to pcpcats. The group’s operations remain active in the cybercrime underground with no major law enforcement disclosures reported in open sources.63
Implications
pcpcats demonstrates the dangers of exposed cloud services, delayed patching in web frameworks, and supply chain trust. Its campaigns highlight how automation and opportunistic exploitation can achieve massive scale with relatively known techniques.
Organizations should prioritize:
- Securing management APIs and cloud exposures.
- Rigorous supply chain verification and dependency scanning.
- Credential rotation and secret management.
- Monitoring for known IOCs (e.g., specific C2 infrastructure, file paths like /opt/pcpcat/, and process patterns).
No comments:
Post a Comment