One thing Linux fans have always loved to tout over Windows was its security. While Windows has had lots of high-profile security breaches, Linux has also had its share of malware attacks, putting the belief that it’s more secure than Windows in question.
XZ Utils supply chain attack
An attack stopped in the nick of time
XZ Utils is an open-source compression utility similar to ZIP and RAR. It’s well-known for its high compression rates compared to other compressed file formats, and is widely used in commercial software including Google Chrome and Spotify. XZ Utils’ ubiquity made it vulnerable to a supply chain attack.
A developer using the name “Jia Tan” (the programmer’s actual identity remains unknown) apparently badgered the previous maintainer,, Lasse Collin, over slow updates to the project and convinced Collin to give them full access to the codebase. The developer spent several years placing a backdoor into XZ Utils that would have given them full access to nearly any Linux machine using SSH.
It was almost by pure luck that a Microsoft developer caught this backdoor when he noticed higher-than-usual CPU usage from SSH. The backdoored versions of XZ Utils were shipping in distros that used newer versions, but when the backdoor was discovered, the updates were quickly recalled. If this attack had succeeded, it might have been the biggest security breach in Linux’s history. The backdoor highlighted the problem that unpaid developers maintain many projects considered essential. Collin resumed maintaining XZ Utils.
Mirai
Turning your Linux router into a botnet army
Linux is popular in embedded applications because it can be stripped down to run on low-spec devices. Companies are also installing sensors with network connectivity as part of the “Internet of Things.” This makes Linux an attractive target for people who want to run botnets. Mirai (Japanese for “future”) is a botnet that infects Linux Internet of Things devices. It also includes common consumer gear like security cameras and Wi-Fi routers.
The thought of a camera or router spying on you is frightening enough, but your devices could become part of a botnet attack.
Mirai has mostly caused trouble through DDoS (Distributed Denial of Service) attacks. Some of the highest-profile victims include the Dyn dynamic DNS service and the website of security researcher Brian Krebs.
Mirai infected devices using their default usernames and passwords, which is why you should change them as soon as possible when you get a new one.
The 2026 AUR infiltration
Can you trust your Linux packages?
Arch Linux has a following among technical Linux users for its flexibility. While package management is nothing new on Linux, the Arch User Repository, or AUR is unique in giving users the ability to install packages that are outside of the standard Arch repositories. Some AUR packages are proprietary, while others are too new to be in the main Arch repositories but will often be later.
While AUR is popular among Arch users, it relies on a sense of trust. As with the XZ Utils back door, it’s possible to take advantage of that trust. In 2026, a similar supply chain attack. Similar to the XZ Utils attack, apparently friendly developers seized upon packages that were being unmaintained and took over maintainership, inserting their own malicious code. The attack is believed to have compromised over 1,500 packages on AUR.
Arch Linux responded by temporarily disabling new account signups to AUR, but the event raises some troubling questions about the open source supply chain. While the main Arch repositories are believed to be unaffected, you have to wonder how you can trust who’s developing open source software.
Badbunny
OpenOffice.org was just as good as Excel in spreading malware
In the ’90s and early 2000s, Microsoft Office and Visual Basic for Applications were common vectors for malware. Visual Basic for Applications (VBA) was a common culprit. Linux users might have felt superior. A popular xkcd comic about a Linux user scoffing at being sold a Windows antivirus at Best Buy summed up a common attitude among Linux users of the era, and using both macOS (when it was still called Mac OS X) and Linux, I admit I identified with it. Microsoft eventually mitigated this problem by turning off the ability for macros to run by default.
But Linux could run these “macro viruses.” Badbunny, not to be confused with the popular Puerto Rican singer, was one that ran on the predecessor to LibreOffice, OpenOffice.org, that also had a macro language. This piece of malware got its name from the racy image that it would display.
Linux.Encoder ransomware attack
Yes, Linux can get ransomware
While ransomware, malware that takes over a machine and threatens to delete files unless the users cough up payments, typically in cryptocurrency, has become a serious problem, it’s another thing that has most affected Windows users. This is likely because Windows is still the most common desktop operating system, and institutions like hospitals would be more desperate to pay to get the use of their machines back.
The Linux.Encoder ransomware has shown that Linux users aren’t immune to ransomware attacks either. Linux.Encoder spread through Magento, a shopping cart program for e-commerce sites. Smaller sites tend not to have the same protection that big sites like Amazon do.
Devnull
A ’90s-tastic Linux worm
Devnull is an interesting piece of malware because of how of its time it was. Devnull, as reported by F-Secure, was a worm that spread in the early 2000s. The worm, which takes its name from the /dev/null device or “bit bucket” on Linux systems, would download a shell script onto an infected computer and make it part of a botnet by installing a program. The program appeared to be an IRC client that would connect and infect other machines using the GCC compiler suite if it’s installed on the system.
Linux isn’t safe from malware just by itself
The ultimate lesson is that Linux, especially in the hands of overly trusting or naive users, can be vulnerable to malware as Windows is. The price of software freedom will have to be eternal vigilance. This will mean staying on top of updates and paying attention to your configuration.


