Detection-Engineering
The Login Path Is the Target: Inside the PAM/OpenSSH Backdoor Playbook Attackers Keep Reusing
Sygnia's Operation Highland found a China-nexus group living inside an air-gapped network for a decade by backdooring pam_unix.so and sshd. It's the same target the XZ Utils and Ebury campaigns went after — because the Linux authentication stack is the softest hard target in your fleet.