TeamPCP → PCPJack — cloud-worm successor evicting prior operator artefacts

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.