My Company's Server Got Hacked, and Then Another Hacker Stole It From the First One?

 

📋 Table of Contents

1. Wait, a Hacker Kicked Out Another Hacker?
2. So What Exactly Is PCPJack Stealing?
3. How Does This Affect Me? More Than You'd Think
4. What You Can Do Right Now
5. Frequently Asked Questions

Wait, a Hacker Kicked Out Another Hacker?

Imagine someone secretly breaking into your company server and stealing money, and then one day another thief shows up, kicks out the first one, and takes over the operation. Sounds like a movie plot, right? Well, this actually happened in May 2026.

Security company SentinelOne discovered a malicious program called PCPJack. And you know what its first move is? It completely wipes out all traces of an existing hacking group called TeamPCP. It sneaks into servers that are already compromised and basically says "this is my territory now!" Turns out hackers fight over territory too, and they're dead serious about it.

WARNING TeamPCP is actually a group that pulled off some major incidents. They're a pretty organized hacking operation that targeted open-source security tools and AI libraries back in early 2026, then even partnered with ransomware groups to try to monetize their attacks.

So What Exactly Is PCPJack Stealing?

What's scary about PCPJack isn't that it targets just one server. It's a worm that spreads itself from an infected server to other servers on its own. A worm is malicious code that spreads from computer to computer without any human interaction—no clicking required.

And as it spreads, it does one thing: scoops up all kinds of account info and passwords. Here's what kind of stuff it's after:

Type of Information Stolen	Specific Examples
Cloud Services	AWS, Google Cloud account keys
Developer Tools	Docker, Kubernetes login credentials
Business Messaging Apps	Slack tokens (can read messages)
Databases	MongoDB, Redis login info
Finance/Payments	Payment API keys, financial service credentials

But that's not even the worst part. Instead of just using the stolen info for itself, it sells the credentials or uses them directly for spam, financial fraud, and blackmail. And the fact that it's even collecting Slack credentials? That's a clear sign they want to blackmail companies with employee conversations. That's some next-level threat right there.

TIP What's unusual about PCPJack is that it doesn't do any cryptocurrency mining at all. Most server hacks involve secretly mining crypto, but this malware is laser-focused solely on stealing and spreading information. The fact that it's so single-minded about this mission makes it even more dangerous.

How Does This Affect Me? More Than You'd Think

You might be thinking, "Well, I don't even use servers, so it's not my problem." But here's the thing—all those services you use every day? Online shopping, food delivery apps, your company's management systems? They're all running on servers somewhere. When those servers get hacked like this, your personal information becomes vulnerable too.

Office workers especially need to pay attention. You probably use Slack, Notion, Google Workspace, stuff like that at work, right? If hackers steal the login credentials for these tools, your conversations, contracts, and customer information all leak out. And honestly, that's not just your personal problem—it becomes a crisis for the entire company.

What You Can Do Right Now

Don't panic though. There are simple things you can do to seriously reduce the damage. If you're at a small company without a dedicated IT team, just focus on these three things.

1

Turn on two-factor authentication for all work accounts. Even if your password gets stolen, two-factor authentication keeps hackers from actually logging in. It's super easy to set up in the settings menu of Slack, Google, AWS—whatever you use. Takes like 5 minutes tops.

2

Regularly delete old API keys and access tokens. This is especially important for developers. Those old test keys you created, accounts from employees who left, credentials for services you don't even use anymore—all of that becomes a hacker's buffet. Just do a quick audit once a quarter and things improve dramatically.

3

Minimize services exposed to the internet. If server programs like Docker or databases are just sitting out there on the internet with no protection, they become PCPJack's #1 target. Ask your IT team to block any external access to services that don't actually need it.

Frequently Asked Questions

Q. We're just a small startup. Could we really become a target for something like this?

A. Absolutely—and honestly, you might be at even higher risk. PCPJack and similar worms aren't targeting specific companies. They automatically hunt for vulnerable servers exposed on the internet. Smaller companies often don't have security staff, so their configurations tend to be loose, which actually makes them easier targets.

Q. How would I even know if my Slack or Google account got compromised?

A. Regularly check the "Login Activity" or "Active Sessions" menu in each service. If you see login attempts from unknown devices or weird countries, change your password immediately and log out all active sessions. And definitely make sure security alert emails are turned on.

That whole PCPJack story we just talked about—honestly, when you see it in the news it seems like "some IT stuff that has nothing to do with me," right? But once you understand it, you realize this threat is actually closer to your daily life than you'd think. The point is, you don't need some elaborate security setup. A few small habits can seriously prevent major damage. Keep that in mind! 😊