← Back to Briefings

DAILY BRIEFING · JUNE 13, 2026 · #087

Arch Linux supply-chain worm, Velvet Ant backdoor, Gemini phishing-as-a-service

📅 June 13, 2026•🤖 AI-Generated Analysis•5 min read

Severity Medium

ThreatsSupply Chain Malware

IndustriesTechnology

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

How our verification pipeline works →

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

Over 400 Arch Linux packages compromised with credential-stealing malware and eBPF rootkit; China-linked group exposed hiding in Linux login systems for nearly a decade; Google sues Chinese phishing-as-a-service network using Gemini AI.

THREAT LEVEL: HIGH – Supply-chain compromises and persistent Linux backdoors require immediate remediation and audit of build systems

Executive Summary

A mass compromise of 400+ Arch Linux AUR packages injected credential-stealing malware and eBPF rootkit code into developer systems
Velvet Ant, a China-nexus group, maintained backdoored access to Linux PAM and OpenSSH authentication systems for nearly a decade without detection
Google filed legal action against a Chinese cybercrime network operating a phishing-as-a-service platform leveraging Gemini AI to target Americans
A 10-year-old phpBB authentication bypass vulnerability allows login as any user, including administrators, with immediate exploitation risk
Meta's AI support assistant was weaponized to reset high-profile Instagram accounts including Obama White House and U.S. Space Force leadership

Top Threats Today

1. Arch Linux Supply-Chain Compromise—Credential Stealer & eBPF Rootkit

Severity: HIGH Affected: Technology

Attackers hijacked more than 400 packages in the Arch User Repository (AUR) this week and rewrote build scripts to deploy a Rust-based credential stealer on developer machines ^[1]. When executed with root privileges, the malware can load an eBPF rootkit, granting persistent kernel-level access ^[1]^[2]. Any developer who built these compromised packages is at immediate risk of credential theft and system compromise.
Sources:[1] The Hacker News[2] BleepingComputer

Recommended Action

Audit all systems that recently built packages from AUR; treat any affected machine as potentially compromised
Revoke all credentials (SSH keys, API tokens, access tokens) that may have been present on affected systems
Review security logs on developer machines for suspicious eBPF or kernel activity; consider full rebuild of trusted systems
Monitor for unauthorized access to repositories, cloud accounts, and internal systems using credentials from affected developers

2. Velvet Ant—Decade-Long Linux Authentication Backdoor

Severity: HIGH Affected: Technology

A China-nexus group tracked as Velvet Ant spent close to a decade hidden inside Linux login systems by backdooring the PAM (Pluggable Authentication Modules) and OpenSSH components that control user authentication ^[1]. This level of persistence in authentication infrastructure allowed the group to evade standard endpoint detection while maintaining login access across victim systems.
Sources:[1] The Hacker News

Recommended Action

Audit PAM and OpenSSH configurations on all Linux systems for unauthorized modifications or suspicious binaries
Review authentication logs spanning the past 12 months for anomalous login patterns or impossible travel scenarios
Verify integrity of PAM and SSH binaries against trusted sources; consider reprovisioning critical authentication servers
Implement kernel-level auditing and module integrity checking to detect future authentication layer tampering

3. Google Files Suit Against Chinese Phishing-as-a-Service Network Using Gemini AI

Severity: HIGH Affected: Technology

Google announced legal action Friday against a Chinese cybercrime network operating a phishing-as-a-service platform that uses Google's Gemini AI agent to send crafted smishing (SMS phishing) text messages targeting Americans ^[1]. The integration of legitimate AI tools into phishing infrastructure represents an operational escalation in attack sophistication and reach.
Sources:[1] The Hacker News

Recommended Action

Educate users to treat unexpected text messages—especially those requesting account verification or urgent action—with heightened skepticism
Enable SMS filtering and multi-factor authentication on all critical accounts to reduce smishing success rates
Monitor for anomalous SMS activity targeting your organization; flag high-volume phishing campaigns to carriers and law enforcement

4. phpBB Authentication Bypass Lurking for Decade

Severity: HIGH Affected: Technology

A 10-year-old authentication bypass vulnerability in phpBB forum software allows attackers to log in as any user, including administrators, without valid credentials ^[1]. The extended timeline suggests the flaw may have been exploited undetected in production environments for years.
Sources:[1] BleepingComputer

Recommended Action

Immediately identify and patch all phpBB installations to the latest security release
Audit user access logs for suspicious login patterns or administrative account activity dating back at least one year
Reset all user credentials and enforce password changes across the platform
Review recent administrative actions (user deletions, permission changes, data exports) for unauthorized activity

5. Meta AI Support Bot Weaponized to Reset High-Profile Instagram Accounts

Severity: HIGH Affected: Technology

The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages ⚠ over the weekend after attackers used instructions circulating on Telegram to manipulate Meta's “AI support assistant” bot into resetting account credentials ^[1]. This demonstrates the weaponization of customer support automation against high-value targets.
Sources:[1] Krebs on Security

Recommended Action

Review Meta's published account recovery guidelines and disable automated recovery channels for government and high-visibility accounts if possible
Implement hardware security keys as the sole recovery method for accounts with sensitive constituencies
Monitor official government social media channels for compromise indicators; establish manual verification procedures for account takeover claims

Today’s Action Checklist

☐ URGENT: Audit systems that built packages from Arch Linux AUR in recent weeks; assume any affected machine is compromised
☐ URGENT: Identify and patch all phpBB forum instances; audit administrative and user access logs back one year
☐ HIGH: Review Linux PAM and OpenSSH configurations across your environment for backdoors; verify binary integrity
☐ HIGH: Implement or strengthen SMS phishing filtering and enforce MFA on all user-facing accounts
☐ HIGH: Apply hardware security keys to high-profile social media accounts and restrict automated account recovery

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

Get Tomorrow’s Briefing in Your Inbox

Subscribe free and never miss a daily threat briefing.