⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More

A Linux rootkit entered the wild this week through a compromised trusted download, exploiting supply chain trust mechanisms to gain kernel-level access. Simultaneous discoveries revealed a macOS cryptocurrency stealer targeting digital wallet theft and WebSocket-based skimmers harvesting payment card data from e-commerce transactions.

The compromised software distribution chain represents the highest-risk vector. Attackers poisoned a legitimate download source, forcing defenders to assume any installation of that software during the affected window carries rootkit payload. Linux systems running the affected version face persistent kernel compromise, enabling complete system takeover and evasion of standard detection tools.

The macOS threat targets cryptocurrency holders directly. The stealer intercepts wallet credentials and seed phrases, granting attackers direct access to digital assets. Users storing crypto on affected machines face total fund loss if compromised.

WebSocket skimmers represent a newer evasion technique against payment security. Rather than targeting traditional HTTP traffic, these skimmers intercept WebSocket connections used for real-time e-commerce transactions, capturing card data during checkout before encryption takes effect. Retailers using legacy WebSocket implementations face elevated risk.

Cloud infrastructure misconfigurations continued creating public exposure. Multiple reports documented improperly secured cloud servers left accessible with default credentials and open administrative ports. Once inside, attackers reported trivial lateral movement to sensitive data stores.

The week also surfaced continued exploitation of known vulnerabilities across production systems. Organizations remain unpatched against bugs years after disclosure, with attack tooling widely available and detection signatures well-established. Penetration testing data suggests adversaries routinely access networks through vulnerabilities that should have been remediated within 30 days of patch release.

The pattern reflects operational fatigue across enterprise security teams. Patch management backlogs grow while supply chain attacks accelerate, forcing defenders to choose between addressing new threats and closing decades-old holes. Attackers exploit this gap method