Threats Tagged 'linux'

This threat involves Linux process name masquerading, a technique where malicious processes disguise themselves by altering their displayed process names to appear non-suspicious. This can evade detection by security analysts and some security controls. The technique manipulates the process name shown in /proc/<pid>/comm and /proc/<pid>/cmdline by using system calls and memory overwrites. It has been observed in campaigns such as those attributed to the Velvet Ant Chinese group. Detection tools that rely solely on standard process listings can be deceived, though advanced tools like Kunai using eBPF can detect the real command line despite the masquerade.

Bulletin ID: 2026-046-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/18/2026 17:30 PM PDT Description: containerd is an open-source container runtime used by Kubernetes via the Container Runtime Interface (CRI) plugin. It underpins AWS managed container services including Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS), AWS Fargate, Bottlerocket, and Amazon Linux. AWS identified five issues in the containerd CRI plugin affecting versions 1.7 through 2.3. - CVE-2026-50195 (GHSA-cvxm-645q-p574) - CRI checkpoint import, local image tag poisoning - CVE-2026-53488 (GHSA-xhf5-7wjv-pqxp) - image-config LABEL -> host-root command exec - CVE-2026-53492 (GHSA-33vj-92qq-66hc) - CDI annotation smuggling during checkpoint restore - CVE-2026-53489 (GHSA-rgh6-rfwx-v388) - arbitrary host file read via symlink in checkpoint restore - CVE-2026-47262 (GHSA-jpcc-p29g-p8mq) - image-triggered runtime DoS Impacted versions: containerd 1.7, 2.0, 2.1, 2.2, 2.3 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Wordpress Temporary Login Plugin 1.0.0 - 'temp-login-token' Authentication Bypass to Account Takeover

Linux Kernel - Local Privilege Escalation

A supply chain attack targeted the Arch User Repository (AUR) by publishing over 1,500 malicious packages. Attackers modified abandoned packages to execute malicious code during installation, leveraging eBPF for persistence and hiding. The malware is capable of credential and secret harvesting, including SSH keys and tokens, and can evade detection by hiding processes and files. Arch Linux responded by suspending new AUR account registrations to contain the attack and is actively removing malicious commits.

Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries. [...]

Bulletin ID: 2026-045-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/15/2026 11:45 AM PDT Description: Kiro IDE is an agentic development environment that makes it easy for developers to ship real engineering work with the help of AI agents. We identified CVE-2026-11931, where incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). Impacted versions: < 0.11.133 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens. [...]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. [...]

An improper authentication bug allows attackers to escalate their privileges and escape containers. The post Organizations Warned of Exploited Linux Kernel Vulnerability appeared first on SecurityWeek .