Attackers hijacked 400 AUR packages to install credential stealer malware with an optional eBPF rootkit. Check your builds now. redsecuretech.co.uk/blog/pos… #AURMalware #ArchLinux #SupplyChainAttack #CredentialStealer #AtomicLockfile #eBPFRootkit #PKGBUILD #LinuxSecurity #Sonatype

#AtomicArch #ArchLinux #AUR #SupplyChainAttack #LinuxSecurity #InfoStealer #eBPF #Rootkit #OpensourceSecurity #Linux

Linux Privilege Escalation Using Misconfigured NFS 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Misconfigured NFS shares can become a direct path to root access on Linux systems ⚠️ 📚 What You'll Learn in This Guide 🔍 Understanding NFS & Network File Sharing 📋 Enumerating NFS Exports and Permissions ⚙️ Identifying Dangerous NFS Configurations 🚨 Exploiting no_root_squash Misconfigurations 📂 Mounting Remote NFS Shares 🛠️ Creating and Deploying SUID Binaries 🐚 Gaining Root Access via NFS Abuse 🔑 Privilege Escalation Walkthrough 🧠 Enumeration & Post-Exploitation Techniques 🛡️ Securing NFS Shares and Permissions ⚠️ Detection & Mitigation Best Practices 💡 NFS misconfigurations, especially the no_root_squash option, can allow attackers to create privileged files on shared directories and escalate privileges to root on Linux systems. 📖 Article: hackingarticles.in/linux-pri… #Linux #PrivilegeEscalation #NFS #NoRootSquash #RedTeam #Pentesting #CyberSecurity #EthicalHacking #InfoSec #LinuxSecurity

A China-nexus group hid in Linux PAM and OpenSSH for nine years. No malware. No alerts. Here's how to find them. redsecuretech.co.uk/blog/pos… #VelvetAnt #LinuxBackdoor #PAM #OpenSSH #OperationHighland #Sygnia #ChinaThreatActor #LinuxSecurity #InfrastructureHiding #CredentialTheft

Feeling sweaty today? Validate your system integrity and packages with this, just whipped it up (for my own mental health) XD -> github.com/J4ck3LSyN-Gen2/AU… #InfoSec #ArchLinux #LinuxSecurity #CyberSecurity #Security #SupplyChain #AUR

Alpine Linux continues expanding beyond containers into desktop and workstation deployments. That means more environments are standardizing on musl libc and BusyBox. For operators, compatibility testing becomes just as important as performance gains. Many teams discover application assumptions about glibc only after deployment. Review build and runtime dependencies before wider adoption. zdnet.com/article/alpine-lin… #LinuxSecurity #Linux #InfrastructureSecurity

npm v12 now disables install scripts by default, reducing a common software supply chain risk during package installs. That change matters because build systems often execute dependency code automatically. In Linux CI/CD environments, package installs frequently run inside privileged build runners and containers. Many teams inherit transitive dependencies without ever reviewing their install hooks. Dependency inventories and build pipeline assumptions are worth revisiting. linuxsecurity.com/news/vendo… #LinuxSecurity #DevSecOps #OpenSourceSecurity

Every listening port represents a running service and a potential entry point into a Linux system. The issue is often visibility, not vulnerability. As servers evolve, services get added, migrated, and reconfigured. What was closed last quarter may be exposed today. Many environments accumulate open ports through operational changes rather than deliberate decisions. Comparing listening services against documented requirements can reveal surprises. linuxsecurity.com/howtos/sec… #LinuxSecurity #Linux #DevSecOps

Open-source package compromises can expose credentials, CI secrets, SSH keys, and cloud access tokens through downstream tooling. The impact often extends beyond the package itself. Linux infrastructure teams may encounter this through build runners, automation hosts, or developer environments connected to production systems. Many organizations trust internal pipelines that consume external dependencies daily. Dependency reviews should include the systems that build and deploy software. linuxsecurity.com/news/netwo… #LinuxSecurity #DevSecOps #Cybersecurity

Attackers frequently use cron to relaunch scripts, reconnect to external infrastructure, or reinstall removed malware. The challenge is visibility, not complexity. In cloud and virtualized environments, suspicious cron activity can look like ordinary automation unless teams investigate the commands being executed. Many operators inherit servers with years of accumulated scheduled tasks. A baseline inventory of cron jobs makes incident response much easier. linuxsecurity.com/howtos/sec… #Linux #Cybersecurity #LinuxSecurity

A Chromium V8 flaw affecting Linux builds has been associated with active exploitation activity and prompted CISA KEV inclusion. The challenge is often visibility, not patch availability. In enterprise Linux environments, Chromium may be bundled into VDI images, developer workstations, and managed desktop fleets that update on different schedules. Many teams assume browser updates are happening automatically everywhere. Verifying deployed versions is often worth the effort. linuxsecurity.com/news/secur… #LinuxSecurity #DevSecOps #Linux

SSH configuration drift is a common operational reality. Small changes accumulate across servers, cloud instances, and automation workflows. Linux operators often manage systems deployed years apart with different SSH baselines. Many organizations discover inconsistent SSH settings only during audits or incident reviews. Regular validation of SSH configurations helps keep access controls aligned across environments. linuxsecurity.com/howtos/sec… #Linux #LinuxSecurity #DevSecOps

Cron abuse is often less about malware sophistication and more about operational visibility gaps. Scheduled tasks can quietly survive reboots, process restarts, and partial remediation. Linux servers, cloud instances, and application hosts all rely heavily on automation, making cron a natural persistence target. Many teams focus on package updates and service health while scheduled task reviews happen infrequently. Knowing what "normal" cron activity looks like makes investigations much easier. linuxsecurity.com/features/c… #LinuxSecurity #OpenSourceSecurity #InfrastructureSecurity

Langflow vulnerabilities are under active exploitation, including flaws that can lead to unauthenticated remote code execution on exposed instances. Many deployments sit behind AI workflows but still run on standard Linux hosts. In practice, that means an internet-facing service can become a foothold into infrastructure, containers, and stored credentials. Teams often expose these tools for convenience and forget they are still servers. Review exposed services and deployment inventories. linuxsecurity.com/news/secur… #LinuxSecurity #OpenSourceSecurity #DevSecOps

Fedora released Vaultwarden fixes for Fedora 43 and 44 to address CVE-2026-27801 two-factor authentication bypass and CVE-2026-27803 unauthorized collection management flaws, Linuxsecurity reported. threatcluster.io/cluster/cri…

openSUSE released security advisories for CVE-2026-0183 in RoundcubeMail and CVE-2025-3548 in Assimp, addressing XSS/SQL injection and denial-of-service flaws in SLE-15-SP6 and SP7 backports, Linuxsecurity reported. threatcluster.io/cluster/ope…

Open ports are often the first thing infrastructure teams discover during a security review. The challenge is that exposed services are not always intentional. In Linux environments, forgotten development services, test databases, and temporary management interfaces can remain reachable long after deployment. Many admins have run a scan and found a service they thought was internal only. Regular port audits help verify actual exposure, not just intended configuration. linuxsecurity.com/howtos/sec… #LinuxSecurity #Linux #InfrastructureSecurity

Chromium V8 zero-day vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog, with active exploitation observed in the wild. A browser issue can quickly become a Linux fleet issue. Many Linux environments rely on Chromium-based browsers for admin portals, cloud consoles, and internal tools. Delayed browser updates can leave workstations and jump hosts exposed. Operators often discover browser versions lag behind OS patch cycles. Inventory Chromium-based deployments alongside regular package reviews. linuxsecurity.com/news/secur… #LinuxSecurity #Linux #InfrastructureSecurity

Frequent cron execution can be an early indicator of persistence activity on Linux hosts. A task running every minute may not seem unusual at first glance. In production environments, most scheduled jobs follow predictable maintenance patterns. Attackers often prefer short intervals to keep access reliable. Many operators have inherited systems with years of accumulated cron entries and little documentation. Periodic cron audits often uncover surprises. linuxsecurity.com/features/c… #LinuxSecurity #Linux #DevSecOps

IronWorm spread through malicious npm packages that appeared legitimate during normal development workflows. No unusual deployment process was required. Container images and internal applications can inherit vulnerable dependencies through routine builds. Many teams know exactly what they deploy, but not always every transitive dependency included. Reviewing software bills of materials can help close that gap. linuxsecurity.com/news/secur… #LinuxSecurity #OpenSourceSecurity #Cybersecurity