Next.js: 59k servers compromised in 48h – I breached the attackers’ C2 and here’s what I found

These aren’t theoretical numbers. The attackers left their C2 wide open with a /stats endpoint showing real-time campaign metrics. Yes, really. I’ve been monitoring attacks hitting my Beelzebub research honeypots and caught what I’m calling “Operation PCPcat” – a large-scale credential theft campaign targeting Next.js deployments. TL;DR of the attack chain: Exploits CVE-2025-29927 and CVE-2025-66478 for RCE Extracts .env files, SSH keys, AWS/Docker/Git credentials Installs persistent backdoor infrastructure C2 is hilariously exposed: task assignment, exfil pipeline, stats – all publicly accessible What I documented: Full kill chain analysis IoCs Suricata/YARA detection rules Threat actor’s Telegram channels If you’re running Next.js in prod: patch immediately and rotate your credentials. Assume compromise if you were vulnerable during this window. Happy to answer questions or share more technical details. submitted by /u/mario_candela [link] [comments]Technical Information Security Content & DiscussionRead More