TL;DR
Splunk Enterprise flaw (CVE-2026-20253, CVSS 9.8) enables unauthenticated remote code execution. Over 400 Arch Linux AUR packages hijacked to deploy infostealer and eBPF rootkit. China-linked Velvet Ant group maintained decade-long backdoor access to Linux authentication systems (PAM, OpenSSH).
Executive Summary
- Splunk Enterprise patch released for CVE-2026-20253 (CVSS 9.8), a critical unauthenticated RCE affecting Splunk Enterprise deployments globally.
- Attackers compromised over 400 Arch Linux AUR packages this week, injecting credential-stealing Rust binary and eBPF rootkit into developer build environments.
- Velvet Ant, a China-linked threat group, maintained undetected persistence inside Linux PAM and OpenSSH authentication components for nearly a decade, enabling persistent administrative access.
- Google sued a Chinese phishing-as-a-service (PaaS) network accused of weaponizing Gemini AI to conduct smishing attacks against U.S. targets.
- Meta's AI support bot was exploited to reset high-profile Instagram accounts (Obama White House, U.S. Space Force accounts) after attackers distributed instructions on Telegram.
Top Threats Today
1. Splunk Enterprise Unauthenticated RCE (CVE-2026-20253)
Severity: CRITICAL Affected: Technology
Splunk has released security updates to address a critical vulnerability in Splunk Enterprise that allows attackers to conduct unauthenticated file operations and remote code execution [1]. The vulnerability, CVE-2026-20253, carries a CVSS score of 9.8 [1].
Sources:[1] The Hacker News
Recommended Action
- Immediately apply Splunk security updates to all Splunk Enterprise deployments
- Verify that authentication is enforced on all Splunk web and API interfaces
- Monitor Splunk instance logs for signs of unauthorized access or code execution
- Segment Splunk instances from sensitive networks pending patch verification
2. Arch Linux AUR Supply-Chain Compromise (400+ Packages)
Severity: CRITICAL Affected: Technology
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer [1]. The malware is a Rust binary engineered to harvest developer secrets; when executed with root privileges, it can also load an eBPF rootkit [1].
Sources:[1] The Hacker News
Recommended Action
- Audit all systems that built Arch Linux packages from AUR this week for credential compromise
- Revoke SSH keys, API tokens, and authentication credentials used on compromised developer systems
- Review git commit history and repository access logs for unauthorized changes
- Monitor for signs of eBPF rootkit installation (unusual kernel module loading)
3. Velvet Ant: Decade-Long Linux Authentication Backdoor
Severity: CRITICAL Affected: Government
A China-nexus threat group tracked as Velvet Ant by Sygnia spent close to a decade hidden inside the Linux login system itself [1]. The group backdoored the PAM (Pluggable Authentication Modules) and OpenSSH components that control user login authorization [1]. This placement allowed undetected persistence within the authentication stack—the system defenders typically monitor least closely—and enabled full visibility into administrative activity across the target organization [1].
Sources:[1] The Hacker News
Recommended Action
- Audit PAM and OpenSSH configurations and code on all Linux systems for unauthorized modifications
- Review authentication logs (auth.log, secure) for evidence of backdoored login attempts spanning months to years
- Rotate all administrative credentials and SSH keys; assume full compromise of authentication state during suspected intrusion window
- Engage forensic specialists to recover indicators of compromise and establish true scope of access
4. Google Sues Chinese Smishing-as-a-Service Using Gemini AI
Severity: HIGH Affected: Technology
Google on Friday announced legal action against a Chinese cybercrime network accused of using its Gemini artificial intelligence agent to send phishing text messages (smishing) targeting Americans [1]. The network operates a phishing-as-a-service platform [1].
Sources:[1] The Hacker News
Recommended Action
- Alert users to the smishing campaign; provide indicators (sender numbers, message text samples) if available
- Implement SMTP authentication hardening and SMS filtering where feasible
- Monitor for credential harvesting and account takeover attempts targeting phishing victims
5. Meta AI Support Bot Exploited to Compromise High-Profile Instagram Accounts
Severity: HIGH Affected: Technology
The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages after instructions began circulating on Telegram showing how to trick Meta's “AI support assistant” bot into resetting account credentials [1].
Sources:[1] Krebs on Security
Recommended Action
- Enable and verify hardware security key or authenticator-app-based MFA on high-profile social media accounts
- Monitor AI chatbot interfaces used for account recovery for social engineering vulnerability
- Restrict account password reset to verified identity verification channels only
Today’s Action Checklist
- ☐ URGENT: Patch all Splunk Enterprise instances with CVE-2026-20253 security update
- ☐ URGENT: Audit systems that built Arch Linux AUR packages this week; assume credential compromise
- ☐ URGENT: Rotate all administrative SSH keys and credentials on Linux systems; audit PAM/OpenSSH for backdoors
- ☐ HIGH: Review high-profile social media account recovery flows; enforce hardware MFA on executive accounts
- ☐ HIGH: Alert users to smishing campaign using Gemini AI; monitor for credential harvesting