A China-linked hacking group, tracked as Velvet Ant, has been hiding in plain sight for nearly a decade by backdooring Linux login software, specifically the PAM and OpenSSH components. This tactic allowed the group to evade detection by concealing its access within the login system itself, making it difficult to remove. By targeting these components, the hackers were able to grant themselves persistent access to the network, effectively flying under the radar of ordinary security measures. The group's ability to remain undetected for so long suggests a high degree of sophistication and patience1. This type of state-aligned activity shifts the threat model from traditional criminal activity to a geopolitical one, requiring a different approach to defense. The fact that a nation-state actor was able to hide in the Linux login system for so long matters to practitioners because it highlights the need for a more comprehensive and nuanced approach to security, one that accounts for the unique tactics and motivations of state-sponsored hackers.