Understanding Credential Harvesting via PAM: A Real-World Threat

This blog explains how PAM modules (e.g., pam_unix.so) can be maliciously modified to log or exfiltrate plaintext credentials (MITRE ATT&CK T1556.003), provides a concrete code example and test evidence showing credentials written to system logs, cites real-world abuse by UNC1945 and UNC2891, and recommends mitigations such as disabling password-based SSH authentication, adopting key-based SSH, auditing PAM binaries, and deploying file-integrity monitoring and centralized logging.