A new malware campaign called PCPcat has successfully compromised more than 59,000 servers in under 48 hours through targeted exploitation of critical vulnerabilities in Next.js and React frameworks.
The malware targets Next.js deployments by exploiting two critical vulnerabilities, CVE-2025-29927 and CVE-2025-66478, which allow remote code execution without authentication.
The attack uses prototype pollution and command injection techniques to execute harmful commands on vulnerable servers.
The campaign has shown a 64.6 percent success rate, which is unusually high for such operations. PCPcat scans public-facing Next.js applications at scale, testing 2,000 targets in each batch and running these scans every 30 to 60 minutes.
The malware operates via a command-and-control server in Singapore that orchestrates the operation across three main ports.
Port 666 serves as the distribution center for harmful payloads, port 888 handles reverse tunnel connections, and port 5656 runs the main control server that assigns targets and collects stolen data.
During active monitoring of Docker honeypots, the campaign discovered the operation’s complete infrastructure through reconnaissance of the command and control server.
Security analysts at Beelzebub identified that the malware first tests targets with a simple command to check if they are vulnerable before launching the full attack chain.
Once a vulnerable server is found, it extracts environment files, cloud credentials, SSH keys, and command history files.
The stolen information gets sent back to the control server through simple HTTP requests that require no authentication.
After stealing credentials, the malware attempts to install additional tools for long-term access. It downloads a script that sets up GOST proxy software and FRP reverse tunneling tools on the compromised server.
These tools create hidden channels that allow attackers to maintain access even after the initial vulnerability is patched.
Exploit Mechanism and Code Execution
The attack works by sending a specially crafted JSON payload to vulnerable Next.js servers.
This payload manipulates the JavaScript prototype chain and injects commands into the child process execution function.
The malware uses the following structure:-
payload = {
"then": "$1:__proto__:then",
"status": "resolved_model",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process')
.execSync('COMMAND_HERE').toString();"
}
}This payload forces the server to run any command the attacker wants. The results get returned through a specially formatted redirect header, allowing the malware to extract data without raising immediate suspicion.
The malware then systematically searches for valuable files like AWS credentials in the .aws folder, Docker configuration files, Git credentials, and bash history containing recently used commands.
To maintain persistence, the malware creates multiple system services that restart automatically if stopped or if the server reboots.
These services run the proxy and scanning tools continuously, keeping the compromised server active in the botnet. The installation happens in multiple locations to ensure at least one copy survives security cleanup efforts.
Network administrators can detect this activity by monitoring connections to the command server IP address 67.217.57.240 on ports 666, 888, and 5656, looking for systemd services with names containing pcpcat, and checking for unusual outbound connections carrying JSON data containing environment variables or credentials.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
