Operation PCPcat: Massive Cyber Espionage Campaign Compromises Over 59,000 Servers in 48 Hours
A large-scale cyber espionage campaign, dubbed Operation PCPcat, has disrupted modern web infrastructure by compromising more than 59,000 servers within just 48 hours. The attack primarily targets systems built on React frameworks, including widely used Next.js and React Servers, and has already led to the theft of hundreds of thousands of credentials.
Discovery and Attack Chain
Security researchers uncovered the campaign after detecting unusual activity across multiple honeypot environments. Further analysis revealed a highly automated attack chain controlled by a centralized command-and-control (C2) server hosted in Singapore. The attackers appear to be exploiting previously undocumented or recently disclosed vulnerabilities to achieve remote code execution (RCE) at scale.
Data shows that Operation PCPcat scanned 91,505 IP addresses globally, successfully compromising 59,128 servers—a staggering 64.6% success rate. At its peak, the campaign was breaching approximately 41,000 servers per day, making it one of the fastest-moving attacks ever observed against React-based deployments.
Exploited Vulnerabilities and Initial Access
The attackers are exploiting two critical vulnerabilities: CVE-2025-29927 and CVE-2025-66478, both affecting Next.js deployments and enabling arbitrary remote code execution. The attack begins with mass scanning of publicly exposed domains running vulnerable React frameworks. Once a target is identified, the attackers leverage prototype pollution, a well-known JavaScript vulnerability class. By injecting malicious payloads via crafted JSON data, they manipulate JavaScript object prototypes, tricking servers into executing unauthorized commands. This technique bypasses authentication and grants full control of the compromised servers without valid credentials.
Credential Theft and Post-Exploitation
After gaining access, the malware deployed by Operation PCPcat acts as a highly efficient credential stealer, immediately searching for sensitive data such as:
- .env configuration files
- SSH private keys
- Cloud service credentials
- System environment variables
These stolen credentials can provide attackers with access to broader infrastructure components, including AWS accounts, Docker environments, and internal networks. Researchers estimate that between 300,000 and 590,000 credential sets have already been exfiltrated, significantly increasing the risk of secondary attacks.
Centralized C2 Infrastructure
The compromised servers are managed through a centralized C2 server located at 67.217.57.240 in Singapore. This server coordinates scanning targets and collects stolen data. Interestingly, the attackers left an internal statistics dashboard publicly accessible, allowing researchers to monitor the campaign’s scale and efficiency in real time.
Persistence and Self-Propagation
To maintain persistence, the malware installs proxy tools such as GOST and Fast Reverse Proxy, configured as systemd services to ensure automatic restart upon reboot. Each infected machine requests 2,000 new target IPs every 45 minutes from the C2 server, creating a self-sustaining infection loop that enables rapid expansion without direct operator involvement. This level of automation suggests a highly organized and well-funded threat actor rather than an opportunistic attack.
Detection and Defensive Measures
Organizations running React frameworks should assume potential exposure and act immediately by:
- Auditing .env files and rotating credentials
- Reviewing logs for suspicious activity
- Monitoring outbound traffic to known C2 infrastructure
- Deploying YARA signatures to detect PCPcat malware
The campaign underscores the growing risk to modern JavaScript ecosystems, where widespread adoption of React and Next.js, combined with misconfigurations or unpatched vulnerabilities, enables large-scale compromise with long-term implications for cloud and enterprise environments.
To stay ahead of evolving threats, security teams should leverage AI-powered threat intelligence and consider booking a free demo with Cyble for real-time visibility and proactive protection against emerging cyber risks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
