December 30, 2025 A fast-moving cyberattack has compromised more than 59,000 internet-facing Next.js servers in less than two days after attackers exploited unpatched flaws that allow remote code execution, according to new security research. While there is a patch for it, thousands of systems are still exposed.
Security researchers have dubbed the operation PCPcat, describing it as one of the clearest examples yet of automated, assembly-line exploitation of modern web frameworks. The campaign, which targeted internet-facing servers at industrial scale, turned popular React-based applications into credential-harvesting infrastructure across major cloud platforms. Mario Candela, who analyzed the activity, said the attackers scanned roughly 91,000 public Next.js deployments in about 33 hours, successfully compromising 59,128 servers – a 64.6% success rate.
The attackers abused two critical vulnerabilities, CVE-2025-29927 and CVE-2025-66478, both of which enable remote code execution if systems are not patched. Although fixes have been available for weeks, the scale of the compromise suggests tens of thousands of production systems remain exposed. Affected environments span development and production servers hosted on AWS, Microsoft Azure and Google Cloud.
Once inside, compromised servers were not defaced or encrypted. Instead, they were converted into credential-extraction nodes. Researchers observed attackers pulling secrets from environment files, SSH configurations, cloud credential stores, Docker tokens, Git repositories, and shell histories. These are all data that can be later used to move laterally into cloud accounts and other services. The credentials can also be sold to other cybercriminals.
The exploitation chain relies on a Python-based component, react.py, which probes vulnerable Next.js applications for prototype pollution conditions. By injecting crafted JSON payloads, the attackers can manipulate internal objects and trigger system-level commands through Node.js child process execution. Successful compromise is first confirmed with basic commands before broader credential harvesting begins.
In many cases, attackers installed multiple persistence mechanisms. These included SOCKS5 proxy services, reverse tunnels to allow inbound access, and system services designed to survive reboots. Researchers also saw abuse of exposed Docker APIs, enabling persistence through containers where possible.
Unusually, the attackers made a major operational security mistake. Their command-and-control infrastructure exposed an unauthenticated API endpoint that leaked live statistics on scanning activity, successful compromises, and task distribution. That visibility allowed researchers to confirm the campaign’s scale, automation and continued activity in real time.
Security teams warn the incident highlights a broader shift toward infrastructure-level credential harvesting, where widely used frameworks become entry points for large-scale cloud compromise. Organizations running Next.js applications are being urged to patch immediately, rotate all potentially exposed credentials, restrict unnecessary public access and audit for signs of persistence.
