EXPPWD is an internal PAM user that is used by Expired Password Service to update password when it is expired. The password update was triggered by "Automatically Update Expired Passwords" setting in Settings >> Credential Manager >> "General Settings" tab.

There is a background thread for expired passwords that is started whenever tomcat (CSPM)  starts up. The task will only perform the update expired passwords only when it is enabled from the UI ( "Automatically Update Expired Password" is selected in Settings >> Credential Manager >> General Settings page) but the task is always running in the background at 12 hours interval by default.

To avoid this kind of password update, de-select "Automatically Update Expired Passwords" box.