A threat actor is running a massive credential theft campaign against Next.js servers - I'm calling it "Operation PCPcat". The kicker? Their C2 infrastructure is completely exposed. Like, /stats endpoint showing live campaign metrics exposed. Amateur hour OpSec, but the operation itself is industrial-scale.
What they're doing:
Chaining CVE-2025-29927 + CVE-2025-66478 for RCE
Harvesting .env files, SSH keys, AWS creds, Docker configs, Git credentials
Dropping persistent backdoors
Everything flows through their open C2 - task queues, exfil data, the works
Happy to discuss in comments.