VoidLink: The Cloud-Native Malware Framework Weaponizing Linux Infrastructure

I thought Dan's article over at Ars was easier to unpack, partly because he's a good writer and partly because it lacked the marketing noise:

https://arstechnica.com/security/2026/01/never-before-seen-linux-malware-is-far-more-advanced-than-typical/

There's some more technical details in the related research report from Checkpoint: https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/

I have not verified, but saw somewhere on twitter that the default configuration of the C2 server can be detected with the http header: www-authenticate: basic realm="Voidlink C2"

I really don't understand big pieces of this story. I read the ars article and skimmed the checkpoint one. But how did checkpoint discover this? Did it infect a small cluster of machines somewhere? But then how can they claim it's not been detected in the wild? Somehow they collected both binaries as well as "development artifacts" which include code comments? Did they hack into the VoidLink CI/CD pipeline to get them? Did some voidlink developer accidentally post it on pastebin?

This just seems like such a weird story and way of reporting it to me. What am I missing?