Linux’s biggest security breaches prove it’s not immune to malware


One thing Linux fans have always loved to tout over Windows was its security. While Windows has had lots of high-profile security breaches, Linux has also had its share of malware attacks, putting the belief that it’s more secure than Windows in question.

XZ Utils supply chain attack

An attack stopped in the nick of time

XZ Utils homepage.

XZ Utils is an open-source compression utility similar to ZIP and RAR. It’s well-known for its high compression rates compared to other compressed file formats, and is widely used in commercial software including Google Chrome and Spotify. XZ Utils’ ubiquity made it vulnerable to a supply chain attack.

A developer using the name “Jia Tan” (the programmer’s actual identity remains unknown) apparently badgered the previous maintainer,, Lasse Collin, over slow updates to the project and convinced Collin to give them full access to the codebase. The developer spent several years placing a backdoor into XZ Utils that would have given them full access to nearly any Linux machine using SSH.

It was almost by pure luck that a Microsoft developer caught this backdoor when he noticed higher-than-usual CPU usage from SSH. The backdoored versions of XZ Utils were shipping in distros that used newer versions, but when the backdoor was discovered, the updates were quickly recalled. If this attack had succeeded, it might have been the biggest security breach in Linux’s history. The backdoor highlighted the problem that unpaid developers maintain many projects considered essential. Collin resumed maintaining XZ Utils.

Mirai

Turning your Linux router into a botnet army

A Wi-Fi router with a bunch of soda cans on it. Credit: Ismar Hrnjicevic / How-To Geek

Linux is popular in embedded applications because it can be stripped down to run on low-spec devices. Companies are also installing sensors with network connectivity as part of the “Internet of Things.” This makes Linux an attractive target for people who want to run botnets. Mirai (Japanese for “future”) is a botnet that infects Linux Internet of Things devices. It also includes common consumer gear like security cameras and Wi-Fi routers.

The thought of a camera or router spying on you is frightening enough, but your devices could become part of a botnet attack.

Mirai has mostly caused trouble through DDoS (Distributed Denial of Service) attacks. Some of the highest-profile victims include the Dyn dynamic DNS service and the website of security researcher Brian Krebs.

Mirai infected devices using their default usernames and passwords, which is why you should change them as soon as possible when you get a new one.

The 2026 AUR infiltration

Can you trust your Linux packages?

Arch Linux has a following among technical Linux users for its flexibility. While package management is nothing new on Linux, the Arch User Repository, or AUR is unique in giving users the ability to install packages that are outside of the standard Arch repositories. Some AUR packages are proprietary, while others are too new to be in the main Arch repositories but will often be later.

While AUR is popular among Arch users, it relies on a sense of trust. As with the XZ Utils back door, it’s possible to take advantage of that trust. In 2026, a similar supply chain attack. Similar to the XZ Utils attack, apparently friendly developers seized upon packages that were being unmaintained and took over maintainership, inserting their own malicious code. The attack is believed to have compromised over 1,500 packages on AUR.

Arch Linux responded by temporarily disabling new account signups to AUR, but the event raises some troubling questions about the open source supply chain. While the main Arch repositories are believed to be unaffected, you have to wonder how you can trust who’s developing open source software.

Badbunny

OpenOffice.org was just as good as Excel in spreading malware

A blank spreadsheet in LibreOffice Calc.

In the ’90s and early 2000s, Microsoft Office and Visual Basic for Applications were common vectors for malware. Visual Basic for Applications (VBA) was a common culprit. Linux users might have felt superior. A popular xkcd comic about a Linux user scoffing at being sold a Windows antivirus at Best Buy summed up a common attitude among Linux users of the era, and using both macOS (when it was still called Mac OS X) and Linux, I admit I identified with it. Microsoft eventually mitigated this problem by turning off the ability for macros to run by default.

But Linux could run these “macro viruses.” Badbunny, not to be confused with the popular Puerto Rican singer, was one that ran on the predecessor to LibreOffice, OpenOffice.org, that also had a macro language. This piece of malware got its name from the racy image that it would display.

Linux.Encoder ransomware attack

Yes, Linux can get ransomware

Google Drive Ransomware issue warning users Credit: Google

While ransomware, malware that takes over a machine and threatens to delete files unless the users cough up payments, typically in cryptocurrency, has become a serious problem, it’s another thing that has most affected Windows users. This is likely because Windows is still the most common desktop operating system, and institutions like hospitals would be more desperate to pay to get the use of their machines back.

The Linux.Encoder ransomware has shown that Linux users aren’t immune to ransomware attacks either. Linux.Encoder spread through Magento, a shopping cart program for e-commerce sites. Smaller sites tend not to have the same protection that big sites like Amazon do.

Devnull

A ’90s-tastic Linux worm

Using tmux with a customized color scheme with Weechat IRC client running on a shell account.

Devnull is an interesting piece of malware because of how of its time it was. Devnull, as reported by F-Secure, was a worm that spread in the early 2000s. The worm, which takes its name from the /dev/null device or “bit bucket” on Linux systems, would download a shell script onto an infected computer and make it part of a botnet by installing a program. The program appeared to be an IRC client that would connect and infect other machines using the GCC compiler suite if it’s installed on the system.


Linux isn’t safe from malware just by itself

The ultimate lesson is that Linux, especially in the hands of overly trusting or naive users, can be vulnerable to malware as Windows is. The price of software freedom will have to be eternal vigilance. This will mean staying on top of updates and paying attention to your configuration.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


TL;DR

Meta stripped NameTag facial recognition code from its AI app one day after WIRED exposed it on 50 million phones. Meta says no decision has been made.

Meta removed nearly all traces of an unreleased facial recognition system from its smart glasses companion app on Friday, one day after WIRED reported that the software had been quietly embedded in an app installed on more than 50 million phones. The feature, which Meta internally called NameTag, was designed to convert faces captured by the company’s Ray-Ban smart glasses into unique biometric signatures and compare them against a database stored on the user’s device. WIRED also found that faces the system failed to recognise were cropped, indexed, and stored locally for future processing.

Andy Stone, Meta’s vice president of communications, told WIRED on Monday that the feature is “purely exploratory,” adding that no final decision has been made on what to do with it. That characterisation sits uneasily with the evidence WIRED documented. The version of Meta AI published the day of WIRED’s Thursday report contained several code libraries explicitly named for face recognition, a process for running the NameTag recognition pipeline, and a “Person recognised” alert the app would have shown if someone were identified.

Friday’s release stripped all of it out, along with a folder where the app would have stored the cropped images and biometric signatures of unrecognised faces. Meta did not answer WIRED’s questions about why the code was removed or whether the changes were planned before the story was published. A few fragments remain in the latest version, including an internal debug menu label and a dormant link meant to open a recognised person’s profile, pointing to parts of the system that are no longer there.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The gap between Meta’s public statements and the code WIRED found is the central tension. Before the Thursday report, Stone dismissed the findings by writing that the company could not answer questions about how the system would work because “the feature does not exist.” Andrew Bosworth, Meta’s chief technology officer, called the reporting “incredibly misleading” and “absolutely dishonest.” Yet the code was functional enough to include three AI models, one to detect faces, another to crop them, and a third to encode them as biometric data, all embedded in the companion app for a product already at the centre of a mounting privacy crisis.

Meta declined to answer ten questions WIRED posed before publishing, including whether it had already created the database of face profiles NameTag uses, how long the app retains photographs and biometric data of unrecognised people, and whether that data would ever be sent back to Meta’s servers. The company also did not respond to questions about whether it was building NameTag for blind or low-vision users, or to criticism from privacy advocates who warned the system could let stalkers and abusers identify strangers in public.

NameTag first surfaced in February, when The New York Times, citing internal Meta documents, reported that the company was developing face recognition for its smart glasses and considering a launch as early as this year. One internal memo reportedly described releasing the feature during a “dynamic political environment” when privacy and civil liberties advocates would be distracted by other concerns. WIRED subsequently found that much of NameTag’s machinery had been built into the Meta AI app as early as January, months before any public acknowledgement, adding another layer to the company’s pattern of shipping first and disclosing later when it comes to its smart glasses.

Kade Crockford, director of the technology for liberty programme at the American Civil Liberties Union of Massachusetts, said the removal does not undo the original decision to ship the code and pointed to it as evidence that consumer privacy needs stronger legal protection than Congress has been willing to provide. The Massachusetts House of Representatives last week unanimously passed a consumer privacy bill that, if enacted as written, would impose strong enforcement provisions including a private right of action allowing aggrieved users to sue. “State lawmakers need to do their job and step up to protect consumer privacy,” Crockford said.

Meta’s sneaky tactics in slipping the face-recognition code into its smart glasses show exactly why data privacy bills need the teeth of strong enforcement,” Crockford added. “Companies like Meta prioritise their bottom line, so lawmakers need to speak in the only language its C-suite understands.” Whether a code removal prompted by investigative reporting constitutes a victory or merely a tactical retreat depends on what Meta does next, and on whether the regulatory pressure building on both sides of the Atlantic produces enforceable consequences before the feature quietly returns under a different name.



Source link