A sophisticated credential-stealing campaign named “Operation PCPcat” has compromised over 59,000 Next.js servers worldwide, exploiting critical vulnerabilities in the popular React framework to harvest sensitive authentication data at industrial scale.
Security researchers discovered the campaign through honeypot monitoring and gained direct access to the attackers’ command-and-control infrastructure, revealing alarming operational metrics.
The campaign maintains a 64.6% exploitation success rate, with 59,128 confirmed server compromises and approximately 300,000 to 590,000 credential sets stolen.
The threat actors leverage two critical vulnerabilities CVE-2025-29927 and CVE-2025-66478 to achieve remote code execution in Next.js deployments.
The attack chain begins with mass scanning of public Next.js domains, followed by prototype pollution attacks that inject malicious commands through JSON payload manipulation.
Once inside a target system, the malware executes a systematic data extraction routine prioritizing .env files, SSH private keys, cloud credentials, and system environment variables.
The campaign’s command-and-control infrastructure, hosted in Singapore at 67.217.57.240, operates through four primary API endpoints that assign scanning targets, accept exfiltrated data, and provide operational statistics.
Notably, the C2 server exposes its complete campaign metrics through an unauthenticated GET/stats endpoint, revealing that attackers have scanned 91,505 IP addresses with indiscriminate targeting.
For persistence, the malware installs GOST proxy software and Fast Reverse Proxy (FRP) components, creating systemd services that survive system reboots.
The attack infrastructure enables continuous scanning, with each compromised machine querying the C2 server for 2,000 new targets every 45 minutes, potentially compromising 41,000 additional servers daily.
The campaign demonstrates characteristics of large-scale intelligence operations, with attackers showing advanced understanding of Next.js internals and cloud infrastructure.
According to Beelzebub, the malware specifically targets AWS credentials, Docker configurations, GitHub tokens, and other cloud-native authentication mechanisms commonly stored in development environments.
Organizations using Next.js should immediately audit their deployments for unauthorized access, review .env file contents, rotate all exposed credentials, and implement network segmentation.
Security teams can detect compromise through Suricata rules monitoring for prototype pollution attempts, YARA signatures identifying the “pcpcat” malware, and behavioral analysis of child_process execution patterns.
The campaign’s public C2 metrics suggest attackers may be unaware defenders have mapped their infrastructure, providing a narrow window for proactive defense before the threat actors adapt their tactics.
Indicators of Compromise (IoCs)
C2 Infrastructure
67.217.57.240:666 - Distribution server (payload hosting)
67.217.57.240:888 - FRP C2 (reverse tunneling)
67.217.57.240:5656 - Main C2 API (task assignment, data exfiltration)API Endpoints
http://67.217.57.240:5656/domains - Target assignment (fetches 2000 IPs)
http://67.217.57.240:5656/result - Data exfiltration (accepts credential POST)
http://67.217.57.240:5656/health - Health check
http://67.217.57.240:5656/stats - Operational metrics (EXPOSES CAMPAIGN DATA)
http://67.217.57.240:666/files/proxy.sh - Persistence installer
http://67.217.57.240:666/files/react.py - Scanner/exploit moduleFollow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.