
Attackers exploit trusted tokens, packages, and accounts across 25 incidents reported this week.
The Hacker News weekly bulletin logs 25 new active incidents in a single reporting window. No single event is catastrophic on its own. The aggregate pattern is the story.
Four headline categories:
Linux rootkits — A rootkit (malware that embeds in the OS kernel to evade antivirus and forensic tools) is active in compromised enterprise Linux environments. The technique isn't new; its reappearance signals defenders have dropped their guard on Linux endpoints.
Router 0-day — An unpatched vulnerability affects widely deployed network hardware. No confirmed CVE at press time, which hampers automated detection across most security tooling.
AI-assisted intrusions — Attackers are using generative AI tools to accelerate recon, craft targeted phishing, and evade detection. This isn't AI hacking autonomously — it's humans hacking faster and cheaper.
Scam kits — Pre-packaged fraud bundles circulating on underground markets. They include phishing pages, fake support scripts, and complete social engineering flows.
The common thread across every incident: attackers aren't forcing entry — they're using keys they already hold. A leaked token. A poisoned package via a supply chain attack (an attack that compromises the software supply chain — libraries, updates, and tools your code already trusts). A reused credential. A legitimate support account taken over.
25 incidents in one week isn't the alarming number. The alarming part is the normalization of the vector. When the attack path runs through a trusted package or an internal tool update, perimeter controls detect nothing. Traffic looks legitimate because it originates from a legitimate source.
Linux rootkits are especially painful for SOC (Security Operations Center — the team that monitors and responds to threats) teams. A well-implemented rootkit can run for weeks without triggering a single alert. EDR (endpoint detection and response — security software that monitors endpoint behavior) coverage on Linux still lags significantly behind Windows equivalents.
The router 0-day adds another critical angle: network infrastructure that most organizations patch far less rigorously than their application servers.
The perimeter model has been dead for years — many teams just haven't updated their playbook. When the attack arrives via a trusted channel, behavioral anomaly detection is the only control that holds. Origin-based detection won't catch it.
Help more people discover BBLabs News.
Want to get news like this every day?
Browse all articles