Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers Emerge

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalwarecloud
Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers Emerge

The Hacker News reports a concerning week for defenders, highlighting a Linux rootkit, a macOS crypto stealer, and the persistent threat of WebSocket skimmers. This recap underscores a recurring theme: attackers are leveraging both novel techniques and exploiting long-standing, unpatched vulnerabilities. The report details instances of poisoned trusted downloads and cloud servers being compromised, indicating a broad attack surface and a lack of fundamental security hygiene.

Attackers are clearly finding success by targeting known weaknesses and supply chain vectors. The mention of “bugs that should’ve died years ago” speaks volumes about the industry’s struggle with basic patch management and configuration. The attacker’s calculus remains simple: exploit the path of least resistance. Whether it’s a zero-day or a decade-old CVE, if it grants access, they’ll use it.

This isn’t sophisticated nation-state tradecraft in every case; sometimes it’s simply an opportunistic attacker stumbling into root access. The common thread is that these opportunities exist because organizations fail to implement foundational security controls and maintain their infrastructure. The consequence is predictable: compromised systems, data theft, and the ongoing erosion of trust.

What This Means For You

  • If your organization relies on Linux or macOS systems, assume they are targets. Immediately audit your patch levels for all operating systems and critical software. Prioritize patching vulnerabilities that have been known for years; these are still actively exploited. Review cloud server configurations for unintended public access and ensure proper segmentation. For web applications, implement strict Content Security Policies (CSPs) to mitigate client-side skimming risks and regularly audit third-party scripts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1608.001 Stage Capabilities: Upload Malware Initial Access T1204.002 Malicious File Initial Access

Indicators of Compromise

IDTypeIndicator
Weekly-Recap-2026-05 Rootkit Linux Rootkit
Weekly-Recap-2026-05 Information Disclosure macOS Crypto Stealer
Weekly-Recap-2026-05 Code Injection WebSocket Skimmers

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor thehackernews.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on The Hacker News All breaches, IOCs & vendor exposure

Related coverage on The Hacker News

Build Application Firewalls to Stop Supply Chain Attacks

Traditional code scanning is falling short. SecurityWeek reports that Build Application Firewalls (BAFs) are emerging as a critical defense against the next wave of supply...

threat-intelvulnerabilitysecurityweek
/SCW Vulnerability Desk /MEDIUM

Google Detects First AI-Generated Zero-Day Exploit Bypassing 2FA

SecurityWeek reports that Google has detected the first AI-generated zero-day exploit. This isn't theoretical anymore; it's a real-world attack. The exploit was crafted to specifically...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚙ 3 Sigma

Google: AI Used to Develop Zero-Day Exploit for Web Admin Tool

Researchers at Google Threat Intelligence Group (GTIG) have identified a zero-day exploit for a widely used open-source web administration tool that was likely developed using...

threat-inteldata-breachmalwarevulnerabilitytools
/SCW Vulnerability Desk /HIGH /⚑ 1 IOC /⚙ 3 Sigma