Weekly Recap: Linux Rootkit, macOS Crypto Stealer & More

Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers: This Week in Threats

This week handed security teams a full plate. A new Linux rootkit, a macOS-targeting crypto stealer, and WebSocket-based payment skimmers all surfaced in active threat reports. Each one targets different parts of the stack, but together they paint a clear picture: attackers are broadening their surface area, and developers need to pay attention at every layer.

How the Linux Rootkit Works

The Linux rootkit making rounds this week operates at the kernel module level. Once loaded, it hides processes, network connections, and files from standard system inspection tools. Commands like ps, netstat, and ls return sanitized output, meaning the malware is invisible to most manual audits.

Infection typically starts through a compromised SSH key or an unpatched service running as root. The rootkit then installs itself as a loadable kernel module (LKM), hooking into system calls to intercept and filter results before they reach userspace tools. Detection requires either integrity checks on the kernel itself or behavioral monitoring at the hypervisor level. Standard endpoint tools running on the infected host are largely blind.

macOS Crypto Stealer Targeting Developer Environments

The macOS crypto stealer reported this week is particularly nasty for developers. It masquerades as a developer tool, often distributed through fake package registries or poisoned GitHub repositories. Once executed, it scans for wallet files, browser extension storage (targeting MetaMask, Phantom, and similar), and environment variables that might contain private keys or API tokens.

What makes this one worth flagging specifically: it targets .env files and shell history. If you have private keys or seed phrases stored in plaintext anywhere in your home directory, this stealer will find them. The lesson is old but still ignored. Secrets do not belong in plaintext files on developer machines.

WebSocket Skimmers: A Growing Threat to Web Applications

WebSocket-based skimmers represent a meaningful evolution in web-based card theft. Traditional Magecart-style attacks inject JavaScript that intercepts form submissions. WebSocket skimmers instead hook into the WebSocket connection used by checkout flows, capturing payment data as it transits in real time.

These skimmers are harder to catch with static analysis because they often use legitimate-looking script filenames and load conditionally, only activating on payment pages. Content Security Policy (CSP) headers help, but only if the WebSocket endpoint is explicitly allowlisted. Many CSP configurations are too permissive on connect-src, leaving this vector open.

Running a web vulnerability scan against your checkout pages can surface unexpected outbound WebSocket connections and third-party script loads that shouldn't be there.

How to Protect Your Systems Right Now

A few concrete actions based on this week's threats:

• Linux servers: Run kernel integrity checks using tools like chkrootkit or rkhunter. Better still, compare running kernel module lists against a known-good baseline. Enable auditd logging on critical paths.
• macOS developer machines: Audit what has access to your home directory. Never store secrets in shell history or .env files outside of secrets managers. Use tools like 1Password CLI or HashiCorp Vault for local secret access.
• Web applications: Tighten your CSP connect-src directive. Audit third-party JavaScript loading on payment pages. Consider subresource integrity (SRI) hashes for all externally loaded scripts.

Check your payment flows and third-party script inventory with a dedicated scan if you haven't done so recently.

FAQ

How do I know if my Linux server has a rootkit installed? Standard tools won't help if the rootkit is already active. Boot from a trusted live environment and inspect the filesystem and kernel modules from outside the running OS. Tools like rkhunter work best before infection, as a baseline comparison mechanism.

What's the fastest way to check for WebSocket skimmers on my site? Monitor outbound WebSocket connections during a checkout session using browser DevTools. Any wss:// connections to domains you don't recognize are a red flag worth investigating immediately.

Should I be worried about fake npm or PyPI packages targeting my dev machine? Yes. Always verify package publishers, check download counts, and review recent repository activity before installing anything new. Use lockfiles and pin dependencies to specific versions with verified checksums.

Scan your web application for skimmers, misconfigurations, and third-party script risks at VibeWShield.