China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no

The article reports that a China-linked group known as Velvet Ant secretly modified core Linux authentication components (PAM and OpenSSH) to install long‑lasting backdoors, enabling credential theft and command logging while remaining hidden for years inside standard login software.[2][3] This is a classic software supply-chain style compromise at the OS/authentication layer, where attackers implant persistent access in foundational components defenders inherently trust. For AI systems, CyberSE.AI’s analysis is that similar techniques could target OS images, authentication libraries, or container base images used by AI agents and model-serving infrastructure, undermining all higher-layer security controls. Organizations should therefore treat their Linux and container base images as part of the AI supply chain, maintain SBOMs, and perform integrity monitoring and attestation on PAM/OpenSSH and other critical components used in AI pipelines and inference servers.