A large-scale cyber espionage operation known as Operation PCPcat has shaken the modern web infrastructure, compromising more than 59,000 servers in just 48 hours. The campaign targets systems built on React frameworks, including widely deployed Next.js and React Servers, and has already resulted in the theft of hundreds of thousands of credentials.
Security researchers uncovered the campaign after observing unusual activity across multiple honeypot environments. Further investigation revealed a highly automated attack chain linked to a centralized command-and-control (C2) server hosted in Singapore. The attackers appear to be exploiting previously undocumented or recently disclosed vulnerabilities to achieve remote code execution (RCE) at scale.
According to the data observed, Operation PCPcat has scanned 91,505 IP addresses globally and successfully compromised 59,128 servers, yielding a 64.6% success rate. At its peak, the campaign was compromising approximately 41,000 servers per day, making it one of the fastest-moving attacks ever observed against React-based deployments.
Exploited Vulnerabilities and Initial Access
The attackers behind PCPcat are exploiting two critical vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. Both flaws reportedly impact Next.js deployments and allow attackers to execute arbitrary code remotely.
The attack begins with a mass scanning of publicly exposed domains running vulnerable React frameworks. Once a susceptible server is identified, the attackers use a technique known as prototype pollution, a well-known JavaScript vulnerability class. By injecting malicious payloads through crafted JSON data, the attackers manipulate JavaScript object prototypes, ultimately tricking the server into executing unauthorized commands.
This approach allows the attackers to bypass traditional authentication mechanisms and gain full control of the affected React Servers without needing valid credentials.
Credential Theft and Post-Exploitation Activity
Once access is achieved, the malware deployed by Operation PCPcat behaves as a highly efficient credential stealer. It immediately searches for sensitive data stored on the system, including:
- .env configuration files
- SSH private keys
- Cloud service credentials
- System environment variables
The stolen data potentially grants attackers access to broader infrastructure components, such as AWS accounts, Docker environments, and internal networks. Researchers estimate that the campaign has already exfiltrated between 300,000 and 590,000 credential sets, increasing the risk of follow-on attacks.
Centralized Command-and-Control Infrastructure
The compromised servers are managed through a centralized C2 server located at 67.217.57.240, hosted in Singapore. This server coordinates the operation by assigning new scanning targets and collecting stolen data from infected machines.
Notably, the attackers left an internal statistics dashboard publicly accessible, allowing researchers to directly observe the scope of the operation in real time. The dashboard confirmed the scale of the campaign and revealed how efficiently PCPcat was spreading across vulnerable React Servers.
Persistence and Self-Sustaining Propagation
To maintain long-term access, the malware installs proxy tools such as GOST and Fast Reverse Proxy on infected systems. These tools are configured as systemd services, ensuring that the malware automatically restarts whenever the server reboots.
Each compromised machine is also programmed to request 2,000 new target IPs every 45 minutes from the C2 server. This design creates a self-sustaining infection loop, allowing Operation PCPcat to expand rapidly without direct operator involvement.
This level of automation suggests a highly organized and well-resourced threat actor rather than an opportunistic attack.
Detection and Defensive Measures
As Operation PCPcat evolves, organizations running React frameworks and React Servers should assume potential exposure and act quickly by auditing .env files, rotating credentials, reviewing logs for suspicious activity, monitoring outbound traffic to known C2 infrastructure, and using YARA signatures to detect the PCPcat credential stealer.
The campaign highlights the growing risk to modern JavaScript ecosystems, where widespread React and Next.js adoption, combined with misconfigurations or unpatched flaws, enables large-scale compromise, with possible long-term impacts on cloud and enterprise environments.
To stay ahead as attackers adapt their tactics, security teams can strengthen detection and response with Cyble’s AI-powered threat intelligence and book a free demo with Cyble to gain real-time visibility into new cyber threats and protect their infrastructure proactively.
