China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

China-linked Velvet Ant group has been backdooring PAM and OpenSSH binaries on Linux systems since at least 2016 to steal credentials and maintain persistent access while evading detection. Any Linux system running compromised login software is at risk of complete credential compromise and undetectable command execution. This affects all environments where these core authentication components may have been tampered with.

CRITICALAdvisoryJun 14, 2026

Action required

Audit all Linux systems for unsigned or modified PAM and OpenSSH binaries using file integrity monitoring. Compare binary hashes against official vendor repositories. Assume credential compromise on affected systems and reset all SSH keys and service account passwords. Review authentication logs for suspicious login patterns dating back to 2016 where possible.

Affected products

PAMOpenSSHF5 BIG-IPCisco NX-OS

Linked articles

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Source links

https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html