Next.js: 59k servers compromised in 48h - I breached the attackers' C2 and here's what I found
A large-scale credential theft campaign named "Operation PCPcat" compromised approximately 59,000 Next. js servers within 48 hours by exploiting two remote code execution vulnerabilities (CVE-2025-29927 and CVE-2025-66478). Attackers extracted sensitive files including . env files, SSH keys, and cloud credentials, installed persistent backdoors, and operated a publicly exposed command and control infrastructure. The campaign involves exploitation, data exfiltration, and backdoor installation. Organizations running Next. js in production are advised to patch vulnerable systems immediately and rotate all potentially compromised credentials. The threat is assessed as medium severity with potentially widespread impact due to the scale and sensitivity of data targeted. European organizations using Next. js may be particularly at risk.
AI Analysis
Technical Summary
Operation PCPcat is a large-scale attack campaign targeting Next.js servers by exploiting two remote code execution vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. Within 48 hours, attackers compromised around 59,000 servers, extracting sensitive configuration and credential files such as .env files, SSH keys, and cloud credentials. They also installed persistent backdoors and operated a command and control infrastructure that was publicly exposed, allowing insight into real-time campaign metrics. The attack chain includes exploitation, data theft, and persistence mechanisms. The campaign poses a medium severity threat with significant potential impact due to the volume of compromised servers and the nature of stolen data. No patch or official vendor advisory details are included in the provided information.
Potential Impact
The campaign led to the compromise of approximately 59,000 Next.js servers, resulting in theft of sensitive files (.env, SSH keys, cloud credentials), installation of persistent backdoors, and exposure of a command and control infrastructure. This enables attackers to maintain long-term access and potentially escalate further attacks. The scale and nature of the stolen data could lead to broader security breaches if credentials are reused or cloud environments are accessed. The threat is medium severity based on the provided assessment.
Mitigation Recommendations
The information advises organizations running Next.js in production to immediately patch vulnerable systems and rotate all potentially compromised credentials. However, no specific patch links or vendor advisories are provided in the data. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance. Rotating credentials and removing backdoors are critical steps to mitigate ongoing risk. Detection rules and IoCs are reportedly available to assist in identifying compromise.
Next.js: 59k servers compromised in 48h - I breached the attackers' C2 and here's what I found
Description
A large-scale credential theft campaign named "Operation PCPcat" compromised approximately 59,000 Next. js servers within 48 hours by exploiting two remote code execution vulnerabilities (CVE-2025-29927 and CVE-2025-66478). Attackers extracted sensitive files including . env files, SSH keys, and cloud credentials, installed persistent backdoors, and operated a publicly exposed command and control infrastructure. The campaign involves exploitation, data exfiltration, and backdoor installation. Organizations running Next. js in production are advised to patch vulnerable systems immediately and rotate all potentially compromised credentials. The threat is assessed as medium severity with potentially widespread impact due to the scale and sensitivity of data targeted. European organizations using Next. js may be particularly at risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation PCPcat is a large-scale attack campaign targeting Next.js servers by exploiting two remote code execution vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. Within 48 hours, attackers compromised around 59,000 servers, extracting sensitive configuration and credential files such as .env files, SSH keys, and cloud credentials. They also installed persistent backdoors and operated a command and control infrastructure that was publicly exposed, allowing insight into real-time campaign metrics. The attack chain includes exploitation, data theft, and persistence mechanisms. The campaign poses a medium severity threat with significant potential impact due to the volume of compromised servers and the nature of stolen data. No patch or official vendor advisory details are included in the provided information.
Potential Impact
The campaign led to the compromise of approximately 59,000 Next.js servers, resulting in theft of sensitive files (.env, SSH keys, cloud credentials), installation of persistent backdoors, and exposure of a command and control infrastructure. This enables attackers to maintain long-term access and potentially escalate further attacks. The scale and nature of the stolen data could lead to broader security breaches if credentials are reused or cloud environments are accessed. The threat is medium severity based on the provided assessment.
Mitigation Recommendations
The information advises organizations running Next.js in production to immediately patch vulnerable systems and rotate all potentially compromised credentials. However, no specific patch links or vendor advisories are provided in the data. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance. Rotating credentials and removing backdoors are critical steps to mitigate ongoing risk. Detection rules and IoCs are reportedly available to assist in identifying compromise.
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 5
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- beelzebub.ai
- Newsworthiness Assessment
- {"score":47.5,"reasons":["external_link","newsworthy_keywords:exploit,cve-,rce","non_newsworthy_keywords:question,rules","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["exploit","cve-","rce","backdoor","threat actor","campaign","compromised","exposed","breach","patch","ioc","yara","analysis"],"foundNonNewsworthy":["question","rules"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 693ffbd1d9bcdf3f3dd7fb5d
Added to database: 12/15/2025, 12:15:13 PM
Last enriched: 5/9/2026, 1:36:22 AM
Last updated: 5/10/2026, 1:36:46 AM
Views: 398
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.