LinuxSecurity.com

n8n (CVE-2025-68613) is an open-source automation tool used to connect APIs, databases, and SaaS apps into workflows. It is commonly used to move data between systems, trigger jobs, and tie services together, and in many environments, it also holds credentials and access to internal services.

''Enabled'' does not mean ''Protected.'' Recent kernel vulnerabilities, including cases like USN-8098-1 , show that a service can stay active while the policies it enforces are quietly swapped underneath it.

Linux runtime security increasingly depends on watching what the operating system is doing in real time. Security tools use eBPF (extended Berkeley Packet Filter) to attach probes within the Linux kernel, recording events such as new processes starting, files being opened, or network connections being created. Those events are then sent to detection engines such as Falco and other Linux runtime monitoring tools, which analyze the activity and alert when something suspicious is detected.This approach works because it lets defenders observe system behavior directly inside the kernel rather than relying only on logs written after the fact.The problem is that it assumes the monitoring pipeline inside the kernel can be trusted. Modern Linux rootkits are beginning to target that pipeline directly by intercepting functions in the eBPF event path and filtering or dropping records before they reach the buffer that security tools read from.When that happens, the activity still occurs on the system, but the monitoring tool never sees it.Experimental research such as SPiCa explores what this looks like in practice by demonstrating how kernel malware can manipulate the event stream produced by eBPF monitoring and effectively silence parts of the security stack while the tools themselves continue running normally.If attackers can tamper with the signals that monitoring tools rely on, defenders face a difficult problem because any security system that depends on those signals may be operating with blind spots.

For a long time, security teams approached infrastructure with a fairly simple idea. Protect the perimeter, patch the servers inside it, and keep attackers from crossing the boundary. That model made sense when systems were stable, and applications lived on a handful of long-running machines.

Linux shows up in places most people stop noticing. Web servers, Kubernetes nodes, build runners, database backends. Start tracing how modern platforms actually run, and a large portion of that infrastructure lands on Linux systems, which quietly turns linux server security into a much bigger conversation than protecting individual hosts.

Authorities have dismantled SocksEscort, a service that sold access to a large proxy network built from compromised residential routers. Investigators say much of the infrastructure sat on infected SOHO networking devices, many running embedded Linux firmware.