Operation PCPcat: A Large-Scale Cyber Espionage Campaign Disrupts Web Infrastructure
In a significant cyber espionage event labeled Operation PCPcat, over 59,000 servers have been compromised within a mere 48 hours, exposing vulnerabilities in modern web architectures. This operation predominantly targets platforms utilizing React frameworks, specifically Next.js and React Servers, leading to the unauthorized extraction of hundreds of thousands of user credentials.
Security experts first identified this campaign after noticing irregular activities in various honeypot environments. Subsequent investigations uncovered a highly automated attack mechanism linked to a centralized command-and-control (C2) server situated in Singapore. Attackers appear to be taking advantage of either newly disclosed or undocumented vulnerabilities, facilitating remote code execution (RCE) on a wide scale.
Data illustrates that Operation PCPcat has vigorously scanned an impressive 91,505 IP addresses worldwide, successfully breaching 59,128 servers, yielding a striking success rate of 64.6%. At its peak, the operation compromised nearly 41,000 servers in a single day, marking it as one of the most rapid attacks aimed at React-based deployments observed to date.
The core of the attack hinges on the exploitation of two critical vulnerabilities, CVE-2025-29927 and CVE-2025-66478, both of which specifically affect Next.js systems and allow for arbitrary remote code execution. These vulnerabilities enable attackers to launch mass scans against publicly accessible domains that are running the affected React frameworks. Following the identification of vulnerable servers, they employ a method known as prototype pollution—an established class of JavaScript vulnerabilities. This tactic involves injecting malicious payloads via crafted JSON data, altering JavaScript object prototypes, and ultimately manipulating the server to execute unauthorized commands.
Once access is acquired, the malware deployed by Operation PCPcat functions primarily as a credential harvester. It systematically seeks out sensitive information stored within the affected systems, including configuration files, SSH private keys, cloud service credentials, and system environment variables. This stolen data significantly enhances the attackers’ capacity to infiltrate broader infrastructure components, such as AWS accounts and internal networks, with estimates suggesting that between 300,000 and 590,000 sets of credentials may have been compromised during the campaign.
Furthermore, the operation is managed through a centralized C2 server registered at IP address 67.217.57.240, also located in Singapore. This server orchestrates the operation by assigning new scanning targets and gathering compromised data from the infected machines. Notably, an internal statistics dashboard was left accessible, allowing outside observers to gauge the campaign’s scope in real time, which confirmed its extensive reach and efficiency in spreading across vulnerable React Servers.
To maintain persistent access, the malware installs proxy tools like GOST and Fast Reverse Proxy on infected machines, configuring these as systemd services that auto-restart after server reboots. Compromised systems also request new target IPs every 45 minutes from the C2 server, establishing a self-sustaining cycle for infection expansion without direct human involvement. The advanced automation of this operation points to the involvement of a sophisticated and well-resourced threat actor as opposed to opportunistic attackers.
Given the evolving landscape of Operation PCPcat, organizations relying on React frameworks and associated servers must proactively mitigate risks. Recommended actions include auditing configuration files, rotating credentials, and monitoring their networks closely for anomalous activity—especially outbound traffic directed at known C2 infrastructure. As this campaign exemplifies the vulnerabilities prevalent in modern JavaScript ecosystems, it underscores the potential for large-scale compromises arising from misconfiguration or unpatched vulnerabilities, with long-lasting repercussions for cloud and enterprise environments.
Cybersecurity teams are urged to enhance detection and response capabilities, leveraging advanced threat intelligence solutions to gain real-time insights into emerging cyber threats. By doing so, they can better safeguard their infrastructure and stay ahead of evolving tactics employed by malicious actors.
