[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:china-linked-hackers-backdoored-linux-login-software-to-hide-for-nearly-a-decade-mqe1c9vc":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":17,"article_ids":18,"ioc_summary":20,"source_urls":21,"status":23,"expires_at":24,"created_at":25,"updated_at":26,"articles":27},"9bc353ed-4a32-4d83-8f46-5c3ada9c05ea","China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade","china-linked-hackers-backdoored-linux-login-software-to-hide-for-nearly-a-decade-mqe1c9vc","China-linked Velvet Ant group has been backdooring PAM and OpenSSH binaries on Linux systems since at least 2016 to steal credentials and maintain persistent access while evading detection. Any Linux system running compromised login software is at risk of complete credential compromise and undetectable command execution. This affects all environments where these core authentication components may have been tampered with.","critical","advisory",[],[13,14,15,16],"PAM","OpenSSH","F5 BIG-IP","Cisco NX-OS","Audit all Linux systems for unsigned or modified PAM and OpenSSH binaries using file integrity monitoring. Compare binary hashes against official vendor repositories. Assume credential compromise on affected systems and reset all SSH keys and service account passwords. Review authentication logs for suspicious login patterns dating back to 2016 where possible.",[19],"7789d580-7ce2-4005-81a4-552c49359b93",null,[22],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fchina-linked-hackers-backdoored-linux.html","archived","2026-06-16T17:05:22.17+00:00","2026-06-14T17:05:29.664306+00:00","2026-06-16T18:06:02.851438+00:00",[28],{"id":19,"title":6,"url":22}]