editorially independent. We may make money when you click on links
to our partners.
Learn More
Researchers have discovered a campaign that has compromised more than 59,000 internet-facing Next.js servers in less than 48 hours, signaling a dangerous escalation in automated credential theft.
Dubbed Operation PCPcat, the campaign weaponizes critical vulnerabilities in popular React-based web infrastructure to harvest cloud credentials at massive scale.
“This is what industrialized exploitation looks like,” security researcher Mario Candela wrote in the analysis.
59K Servers Compromised in Hours
According to Candela’s investigation, PCPcat scanned more than 91,000 public Next.js deployments in roughly 33 hours, successfully compromising 59,128 of them — a 64.6% success rate.
The attackers exploited two critical vulnerabilities, tracked as CVE-2025-29927 and CVE-2025-66478, both of which enable remote code execution (RCE) when left unpatched.
Affected environments include production web servers, development systems, and cloud-hosted applications across AWS, Azure, and Google Cloud platforms.
Once compromised, systems were used as credential harvesting nodes, pulling secrets from environment files, SSH configurations, cloud provider credential stores, Docker tokens, Git repositories, and shell histories.
This approach suggests a focus on long-term access, cloud pivoting, and credential resale rather than simple disruption.
Inside the PCPcat Exploitation Chain
PCPcat relies on a Python-based malware component, react.py, which probes exposed Next.js servers for exploitable conditions tied to prototype pollution flaws.
By injecting crafted JSON payloads, the attackers manipulate application objects and execute system-level commands through Node.js child process functions.
Successful exploitation is first validated with a simple id command before moving into full credential collection.
After data extraction, compromised hosts download a secondary payload from attacker infrastructure that installs multiple persistence mechanisms.
These include SOCKS5 proxy services using GOST, FRP reverse tunnels to enable inbound access, and systemd services that ensure the malware survives reboots.
Honeypot telemetry also revealed abuse of exposed Docker APIs, allowing attackers to establish container-based persistence where possible.
Operational Security Mistakes in PCPcat
One of the most alarming aspects of PCPcat is the attackers’ operational security failure. The campaign’s primary command-and-control server exposed an unauthenticated API that publicly leaked operational metrics.
Through a /stats endpoint, researchers confirmed the number of scanned targets, successful compromises, and tasking behavior in real time.
Additional endpoints handled target distribution, data exfiltration, and health checks — effectively providing a live dashboard of the attack.
This visibility allowed researchers to confirm not only the scale of the campaign but also its automation, batch processing behavior, and ongoing activity.
Hardening Cloud-Based Application Environments
Organizations running Next.js and React applications should treat exposed services and credentials as potential risk, particularly in cloud and containerized environments.
Effective risk reduction requires coordinated patching, credential management, runtime hardening, and continuous monitoring across application and infrastructure layers.
- Apply patches for CVE-2025-29927 and CVE-2025-66478 immediately, and restrict public exposure of Next.js and React applications to only required services.
- Rotate all potentially exposed credentials and migrate secrets from .env files to managed secrets platforms using short-lived, least-privilege identities.
- Block known command-and-control infrastructure and implement outbound traffic controls to detect or prevent unauthorized exfiltration and tunneling.
- Monitor for post-exploitation persistence, including unauthorized systemd services, proxy processes, container creation, and unexpected runtime behavior.
- Harden application and runtime environments by limiting Node.js process privileges, disabling unnecessary child process execution, and enforcing non-root execution.
- Strengthen detection and response capabilities with continuous monitoring, cloud IAM auditing, and credential-theft–focused incident response playbooks.
Together, these actions help minimize risk and strengthen security controls across modern application stacks.
The Shift to Infrastructure-Based Attacks
Operation PCPcat underscores a broader shift in the threat landscape, where attackers increasingly focus on compromising application infrastructure to systematically harvest credentials rather than disrupt operations through defacement or ransomware.
This approach prioritizes stealth, scale, and long-term access, enabling attackers to monetize stolen credentials across multiple environments while often remaining undetected.
This shift underscores the growing importance of software supply chain security in modern environments.
