Security Breaches, Patches, and Linux Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation

posted by Roy Schestowitz on May 12, 2026

• Security Week ☛ Resurrected ‘Crimenetwork’ Marketplace Taken Down, Administrator Arrested

  The second iteration of the German-speaking online crime marketplace had over 22,000 users and more than 100 sellers.

• Security Week ☛ Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack

  A malicious version of the plugin was published to the Jenkins Marketplace late last week.

• Security Week ☛ Build Application Firewalls Aim to Stop the Next Supply Chain Attack

  Rather than scanning code alone, Build Application Firewalls inspect runtime behavior inside the software build pipeline.

• Security Week ☛ Canvas System Is Online After a Cyberattack Disrupted Thousands of Schools

  Tens of thousands of students studying for final exams around the world have regained access to a key online learning system after a cyberattack had earlier knocked it offline.

• malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API (CVE-2026-44931)

  malcontent is a parental control system for the GNOME desktop environment which allows to restrict access to adult Internet content and to keep track of and restrict the amount of screen time for children. As part of the GNOME 50 version update malcontent 0.14.0 was packaged for openSUSE, triggering a review of changes in the package’s D-Bus methods and Polkit actions.

  During this review we identified a local disk space exhaustion attack vector via one of the newly added D-Bus methods. There is currently no upstream bugfix available for the issue. The full details about the issue and communication with upstream will be provided in the following sections.

• LWN ☛ Security updates for Monday

  Security updates have been issued by AlmaLinux (corosync, freeipmi, kernel, and kernel-rt), Debian (corosync, firefox-esr, kernel, lcms2, libpng1.6, linux-6.1, php8.2, php8.4, postorius, pyjwt, and tor), Fedora (dotnet10.0, exim, gnutls, kernel, nextcloud, nodejs22, php, proftpd, prosody, python-pulp-glue, python-requests, rclone, and SDL3_image), Mageia (firefox, nss, rootcerts, openvpn, thunderbird, and vim), Oracle (corosync, freeipmi, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good, kernel, libpng, and mingw-libtiff), Slackware (kernel and mozilla), SUSE (build, product-composer, c-ares, cairo, copacetic, distribution, firefox, firefox-esr, frr, glibc, go1.25, google-cloud-sap-agent, iproute2, java-11-openj9, java-17-openj9, java-17-openjdk, java-1_8_0-openj9, java-21-openj9, java-21-openjdk, java-25-openjdk, kernel, libexif-devel, libpcp-devel, libtpms, libtree-sitter0_26, Mesa, micropython, mozjs128, nginx, opencc, openCryptoki, php-composer2, podman, postfix, python-pytest, python311-Django, python311-Django4, redis, semaphore, strongswan, terraform-provider-aws, terraform-provider-azurerm, terraform-provider-external, terraform-provider-google, terraform-provider-helm, terraform-provider-kubernetes, terraform-provid, tor, valkey, vim, and wireshark), and Ubuntu (linux-nvidia-tegra, linux-raspi, linux-raspi-5.4, and nasm).

• PamDOORa Linux Backdoor: How Malicious PAM Modules Steal SSH Credentials and Evade Detection in Enterprise Environments

  The discovery of the PamDOORa Linux backdoor marks a significant escalation in the sophistication of post-exploitation toolkits targeting Linux infrastructure. Leveraging the trusted Pluggable Authentication Modules (PAM) framework, PamDOORa enables attackers to steal SSH credentials and maintain persistent, stealthy access to compromised systems. This report provides a comprehensive analysis of PamDOORa’s technical mechanisms, security implications, and the broader impact on enterprise environments, with a focus on actionable insights for both technical and executive audiences.

• New PamDOORa Linux backdoor sold on cybercrime forum

  As reported by The Hacker News, cybersecurity researchers from Flare have uncovered a new Linux backdoor named PamDOORa, being sold for $1,600 on the Rehub Russian cybercrime forum by a threat actor known as "darkworm." This sophisticated tool leverages the Pluggable Authentication Module (PAM) framework to provide persistent SSH access and harvest credentials.

• Hacker News ☛ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More

  Rough Monday.

  Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.

  The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping stolen access while defenders burn another weekend chasing logs and praying the weird traffic is just monitoring noise. The Internet’s held together with duct tape and bad sleep.