Based on reporting by The Hacker News →
Introduction
For close to ten years, a threat actor with ties to China was not hiding in the shadows of your typical server logs; it was hiding in the login software itself. If the very mechanism that decides who gets in is compromised, your perimeter monitoring becomes, by definition, blind.
The problem
According to a detailed report from The Hacker News, a China-connected group tracked by incident-response firm Sygnia as Velvet Ant targeted a specific network by backdooring the core Linux components that control user authentication and remote access. Specifically, they compromised the Pluggable Authentication Modules (PAM) and OpenSSH packages — the foundational software that grants or denies login privileges on Linux systems. The Hacker News states that by embedding their access inside these critical system libraries, the attackers ensured their foothold would survive routine cleanup, operating undetected for nearly a decade.
Consequences
The immediate risk is that standard security measures — host-based firewalls, log monitoring, or even periodic malware scans — will miss such a deep plant. An organization can sanitize user accounts, rotate keys, or patch applications without ever touching this kernel-space-like access. For a platform running web applications, e-commerce stores, or WordPress sites on Linux hosts, this means an attacker can re-enter at will, exfiltrate data, or pivot to other assets without tripping the normal alarms.