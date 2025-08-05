  • Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
New 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft

Year of Linux exploits?

We had lots of discussion over in the other big one this year,
https://hardforum.com/threads/criti...ess-on-linux-impacting-major-distros.2042295/


https://thehackernews.com/2025/08/new-plague-pam-backdoor-exposes.html
Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed Plague that has managed to evade detection for a year.

"The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access," Nextron Systems researcher Pierre-Henri Pezier said.

Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems.

Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools.

The cybersecurity company said it uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. What's more, the presence of several samples signals active development of the malware by the unknown threat actors behind it.

Plague boasts of four prominent features: Static credentials to allow covert access, resist analysis and reverse engineering using anti-debugging and string obfuscation; and enhanced stealth by erasing evidence of an SSH session.

This, in turn, is accomplished by unsetting environment variables such as SSH_CONNECTION and SSH_CLIENT using unsetenv, and redirecting HISTFILE to /dev/null to prevent shell command logging, in order to avoid leaving an audit trail.

"Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces," Pezier noted. "Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools."
Reading over this, makes my head spin at the complexity of it..

https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools.

The authors left a reference to the movie Hackers visible only after deobfuscation. This is printed after pam_authenticate and serves as a motd message:

“Uh. Mr. The Plague, sir? I think we have a hacker.”
Oop.

Brace for lots of incoming updates.

Unix/Linux are not perfect. No OS is. But when stuff like this is uncovered, the open source world is transparent about it, and typically fixes it very fast.

That's the best you can ask for.

As far as the PAM-based attack goes, it sounds as if you already need access to the system through other means in order to install it, so it is not like it is a wide open door, but it is still concerning, as who knows what software it might be hidden in that users are installing.

The complexity of this one almost makes me think that maybe state actors are behind it.
 
