A sophisticated attack campaign attributed to a group identifying as “PCP” has compromised 59,128 servers in less than 48 hours by exploiting critical Next.js vulnerabilities.
Security researchers discovered the large-scale operation while monitoring a Docker honeypot, uncovering an industrialized attack infrastructure with command-and-control capabilities targeting React-based applications globally.
The campaign leverages CVE-2025-29927 and CVE-2025-66478, two critical Remote Code Execution vulnerabilities in the Next.js and React frameworks, achieving an alarming 64.6% exploitation success rate.
Direct reconnaissance of the active command-and-control (C2) server revealed that PCPcat has already scanned 91,505 IP addresses, with confirmed compromises reaching nearly 60,000 systems.
Analysis of the C2 API endpoint /stats exposed operational metrics indicating the attackers are currently processing 2,000 IPs per batch with projections suggesting approximately 41,000 additional server compromises daily if the campaign maintains its current velocity.
The attack demonstrates characteristics of large-scale intelligence operations combined with industrial-scale data exfiltration.
Researchers estimate between 300,000 to 590,000 credential sets have already been stolen, with daily harvesting potentially reaching 307,500 additional credentials at current exploitation rates.
React2Shell Vulnerability
The PCPcat malware initiates attacks through massive reconnaissance of public Next.js domains, employing sophisticated JSON payload manipulation combined with prototype pollution techniques.
The exploit chain executes commands through child_process.execSync() functions, with results exfiltrated via HTTP header redirects.
Initial vulnerability verification occurs through simple command execution tests, confirming Remote Code Execution before proceeding to systematic credential extraction.
Upon successful exploitation, the malware prioritizes extraction of highly sensitive files including environment variable databases (.env files), SSH private keys, AWS credentials, Docker configuration files, Git credentials, and system authentication files.
Researchers observed the malware querying ~/.bash_history to capture recent command sequences, enabling attackers to identify additional attack vectors within compromised environments.
The campaign establishes persistence through installation of GOST v2.12.0, a SOCKS5 proxy deployed on localhost:1080, and FRP (Fast Reverse Proxy) v0.52.3, which creates outbound tunnels to the C2 infrastructure.
These tools enable network pivoting and long-term access persistence through systemd service creation with automatic restart capabilities that survive system reboots.
The C2 infrastructure operates from a Singapore-based server (67.217.57.240) across three primary ports.
Port 666 functions as the distribution server delivering malicious payloads, port 888 hosts the FRP reverse tunnel infrastructure, and port 5656 serves as the API command center.
Critically, the C2 API operates without authentication or authorization mechanisms, allowing unrestricted access to operational endpoints.
Critical C2 Security Vulnerabilities
Analysis of the exposed C2 API revealed multiple security vulnerabilities. The /domains endpoint returns 2,000 target IP addresses per request without client validation.
The /result endpoint accepts credential data without input sanitization, successfully ingesting fake AWS credentials, GitHub tokens, and SSH keys during testing.
Most critically, the /stats endpoint publicly exposes complete campaign metrics, including total targets scanned, successful exploitations, credential collection counts, and operational batch information.
Organizations running Next.js or React applications should immediately implement patched versions addressing CVE-2025-29927 and CVE-2025-66478.
Security teams should audit environment variables, SSH keys, and credential stores for unauthorized access indicators.
Network monitoring should prioritize detection of outbound connections to 67.217.57.240 on ports 666, 888, and 5656, along with GOST and FRP process identification on compromised systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.