I Breached an Attacker's C2 and Found 59k Nextjs Servers Compromised in 48 Hours

Posted23 days ago

mariocandela

1 points

1 comments

beelzebub.aiSecuritystory

informativeneutral

Debate

20/100

Data-PrivacyJavascript SecurityC2 Infrastructure

Key topics

Data-Privacy

Javascript Security

C2 Infrastructure

Discussion Activity

Light discussion

First comment

N/A

Peak period

Start

Avg / period

Key moments

01Story posted
Dec 15, 2025 at 10:34 AM EST
23 days ago
Step 01
02First comment
Dec 15, 2025 at 10:34 AM EST
0s after posting
Step 02
03Peak activity
1 comments in Start
Hottest window of the conversation
Step 03
04Latest activity
Dec 15, 2025 at 10:34 AM EST
23 days ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 1 comments

mariocandelaAuthor

23 days ago

So I run research honeypots (Beelzebub) and caught something wild this week.

A threat actor is running a massive credential theft campaign against Next.js servers - I'm calling it "Operation PCPcat". The kicker? Their C2 infrastructure is completely exposed. Like, /stats endpoint showing live campaign metrics exposed. Amateur hour OpSec, but the operation itself is industrial-scale.

What they're doing:

Chaining CVE-2025-29927 + CVE-2025-66478 for RCE

Harvesting .env files, SSH keys, AWS creds, Docker configs, Git credentials

Dropping persistent backdoors

Everything flows through their open C2 - task queues, exfil data, the works

Happy to discuss in comments.

View full discussion on Hacker News

ID: 46275799Type: storyLast synced: 12/15/2025, 3:35:22 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN