Skip to main content
Emerging ThreatsMalware & Ransomware

Cloud Worm CAI Disrupts Rivals, Steals Secrets and Mines Crypto

Dimly lit server room with rows of computer servers and networking equipment in disarray.

"CAI explicitly seeks out and kills TeamPCP and PCPJack processes, to further monopolize on compromised targets," security researcher Michael R. posted on X.

What CAI is and how it behaves

CAI — short for Cloud AI Infrastructure Attack Framework — is a centralized botnet and worm that combines credential theft with cryptomining and process domination, according to the reporting. The scripts are described as "heavily inspired" by other credential-stealing worms seen this year, and the framework "pilfers 'multiple' victims' credentials and mines for cryptocurrency" while actively eliminating competing malware on the same hosts.

Hunt.io threat researcher Michael Rippey told The Register that CAI consists of a scanning engine that feeds targets into automated exploit queues, with centralized command-and-control (C2) coordination across cloud infrastructure. Compromised hosts receive a mix of miners, credential stealers, and a Python backdoor, Rippey said.

Targets: Docker, Kubernetes, Redis, etcd, Kubelet and Ray

The worm focuses on cloud-native developer tooling and services. Hunt.io observed activity emphasizing Docker, Kubernetes, Redis, etcd, Kubelet, and Ray. Those platforms are the explicit objects of CAI's scanning and exploitation queues, per the reporting, making developer-facing infrastructure and orchestration components prime targets for both credential theft and persistent exploitation.

Competitive malware dynamics: TeamPCP, PCPJack and the reuse of code

CAI does not operate in isolation. The framework explicitly hunts down processes tied to TeamPCP and PCPJack — two other malware projects that have been active in cloud and supply-chain attacks this year. TeamPCP is identified in the reporting as the crew behind the mini Shai-Hulud, Miasma, and Canister worms that have been "poisoning open source registries and harvesting cloud access tokens, credentials, API keys, and other sensitive data" since the Trivy supply-chain attack earlier this year.

PCPJack is described as a newer copycat worm that steals secrets and deletes TeamPCP artifacts to evict that competitor from compromised infrastructure. CAI appears to have taken lessons from both rivals: the CAI codebase contains comments like "PCPJack-aligned," and the framework explicitly terminates TeamPCP and PCPJack processes to "monopolize" access to targets, the reporting states.

Hunt.io discovery, development timeline and evidence of compromise

Hunt.io's AttackCapture web-scanning engine first flagged CAI on June 15, when it found the first of three open directories linked to the operator. Rippey said the actor moved from testing worm code that mimicked PCPJack techniques to full production deployment and network compromise over the following three weeks. The codebase, he added, "shows signs of LLM-assisted development, reflecting a deliberate progression of someone studying what works to build a competitive platform."

Although Rippey characterized the malware as not "overly sophisticated," he stressed its effectiveness: recent C2 logs confirmed "active exploitation attempts," and wallet activity tied to the operation confirmed multiple successful compromises, according to the report. That combination of automated scanning, centralized C2 and monetized payloads — miners and credential stealers — is the engine behind CAI's activity.

What this means for security teams, open-source maintainers, and cloud operators

  • Security teams and cloud operators: CAI demonstrates a coordinated, automated approach to compromise that couples rapid scanning with post-exploit monopolization. Teams responsible for container and orchestration platforms should expect attackers to target Docker, Kubernetes, Kubelet, and stateful services such as Redis and etcd, and to deploy miners, secret-harvesters and backdoors on compromised hosts.
  • Open-source maintainers and package registries: The CAI narrative — and the reporting that TeamPCP and related worms have been "poisoning open source registries" — underscores the continued value attackers place on supply-chain access and developer secrets. Maintain situational awareness around registry integrity and any anomalous deletion or modification activity tied to development artifacts.
  • Developers and tool-chain owners: Because CAI's operators explicitly seek to eject competing malware and selectively harvest credentials, any leaked tokens, API keys or access credentials can be rapidly leveraged by multiple criminal toolkits. Controls that limit token scope and rotate secrets remain immediate bulwarks against automated credential harvesting.

CAI's arrival — observed moving quickly from test to production and employing both commodity payloads and targeted process-killing tactics — suggests a sharpening market among criminal toolmakers. As Michael Rippey noted, "CAI is a constantly evolving framework meant to rival toolkits utilized by TeamPCP and PCPJack." The question left by the record is not whether this pattern will continue — the report says it probably will — but how defenders will harden the specific cloud-native tooling CAI seeks to exploit before more installations are lost to miners and secret-harvesters.

Original story at The Register