Sign up to save your podcasts
Or
Share Splunk Gets Pwned, Linux Goes Rogue, and China's Decade-Long SSH Backdoor Finally Exposed
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Splunk Gets Pwned, Linux Goes Rogue, and China's Decade-Long SSH Backdoor Finally Exposed
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast.
I’m Ting, your Digital Dragon Watch host, and listeners, we’ve had a very busy China‑cyber week.
Let’s start with the loudest alarm: the Splunk Enterprise flaw, CVE‑2026‑20253. Defend Network reports this is a critical unauthenticated remote code execution bug with a 9.8 severity score, giving attackers a near‑frictionless way to run code on unpatched Splunk servers. That’s catnip for China‑linked espionage crews who love anything that sits in the middle of logs and telemetry. Splunk has already pushed patches, and U.S. federal environments that rely on Splunk for SIEM are scrambling to harden internet‑facing instances, segment management networks, and turn on strict access controls.
Right behind that, Defend Network also flags that over 400 Arch Linux AUR packages were hijacked this week to deliver a Rust infostealer and an eBPF rootkit into developer build chains. That’s textbook supply‑chain tradecraft, very much in line with historic China‑nexus campaigns that compromise devs first, enterprises later. Targets are any shop that casually pulls AUR packages into CI pipelines—so think software vendors, security tools, and anyone building from bleeding‑edge Linux.
The most worrying long‑game detail is Velvet Ant. According to Defend Network, this China‑linked threat group quietly burrowed into Linux PAM and OpenSSH components for almost a decade, keeping persistent admin‑level access. That’s not smash‑and‑grab ransomware; that’s strategic positioning for espionage across governments, telcos, and cloud providers. It also explains why U.S. defenders keep finding “ghost” SSH activity that never mapped cleanly to known malware.
On the crime‑plus‑espionage frontier, Google has filed a lawsuit—highlighted in Google’s own public communications and amplified on Instagram—against a China‑based phishing‑as‑a‑service network. The service, known as the Greatness‑style platform in earlier reporting, is accused of weaponizing AI, including Google’s Gemini, to generate convincing smishing lures against U.S. users. That lines up with the broader U.S. government push, including FBI outreach, to clamp down on infrastructure that industrializes credential theft.
So what should you actually do about all this? Experts at Defend Network and U.S. government cyber advisors converge on a few points: patch Splunk immediately; audit any systems that built AUR packages recently and assume credentials are burned; rotate all SSH keys; and deeply inspect PAM and OpenSSH binaries for tampering. For executive and political targets, move social and email accounts to hardware security keys and lock down recovery flows to prevent AI‑turbocharged phishing from escalating into full account takeover.
I’m Ting, and that’s your Digital Dragon Watch for this week. Thanks for tuning in, and don’t forget to subscribe so you don’t miss the next alert. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
View all episodes
By Inception Point AIThis is your Digital Dragon Watch: Weekly China Cyber Alert podcast.
I’m Ting, your Digital Dragon Watch host, and listeners, we’ve had a very busy China‑cyber week.
Let’s start with the loudest alarm: the Splunk Enterprise flaw, CVE‑2026‑20253. Defend Network reports this is a critical unauthenticated remote code execution bug with a 9.8 severity score, giving attackers a near‑frictionless way to run code on unpatched Splunk servers. That’s catnip for China‑linked espionage crews who love anything that sits in the middle of logs and telemetry. Splunk has already pushed patches, and U.S. federal environments that rely on Splunk for SIEM are scrambling to harden internet‑facing instances, segment management networks, and turn on strict access controls.
Right behind that, Defend Network also flags that over 400 Arch Linux AUR packages were hijacked this week to deliver a Rust infostealer and an eBPF rootkit into developer build chains. That’s textbook supply‑chain tradecraft, very much in line with historic China‑nexus campaigns that compromise devs first, enterprises later. Targets are any shop that casually pulls AUR packages into CI pipelines—so think software vendors, security tools, and anyone building from bleeding‑edge Linux.
The most worrying long‑game detail is Velvet Ant. According to Defend Network, this China‑linked threat group quietly burrowed into Linux PAM and OpenSSH components for almost a decade, keeping persistent admin‑level access. That’s not smash‑and‑grab ransomware; that’s strategic positioning for espionage across governments, telcos, and cloud providers. It also explains why U.S. defenders keep finding “ghost” SSH activity that never mapped cleanly to known malware.
On the crime‑plus‑espionage frontier, Google has filed a lawsuit—highlighted in Google’s own public communications and amplified on Instagram—against a China‑based phishing‑as‑a‑service network. The service, known as the Greatness‑style platform in earlier reporting, is accused of weaponizing AI, including Google’s Gemini, to generate convincing smishing lures against U.S. users. That lines up with the broader U.S. government push, including FBI outreach, to clamp down on infrastructure that industrializes credential theft.
So what should you actually do about all this? Experts at Defend Network and U.S. government cyber advisors converge on a few points: patch Splunk immediately; audit any systems that built AUR packages recently and assume credentials are burned; rotate all SSH keys; and deeply inspect PAM and OpenSSH binaries for tampering. For executive and political targets, move social and email accounts to hardware security keys and lock down recovery flows to prevent AI‑turbocharged phishing from escalating into full account takeover.
I’m Ting, and that’s your Digital Dragon Watch for this week. Thanks for tuning in, and don’t forget to subscribe so you don’t miss the next alert. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta