TL;DR
Researchers have identified a new Linux malware called Quasar Linux RAT (QLNX) that stealthily targets developers. It extracts sensitive credentials from developer environments, potentially enabling malicious package pushes and cloud access. The malware’s sophisticated persistence and stealth features make it a significant threat to software supply chains.
A new Linux malware named Quasar Linux RAT (QLNX) has been identified targeting developers’ systems to steal credentials and facilitate supply chain attacks, according to Trend Micro researchers. This malware’s ability to stealthily harvest sensitive secrets poses a significant risk to software development environments and cloud infrastructure security.
Trend Micro’s technical analysis reveals that QLNX targets high-value developer and DevOps credentials stored in files like .npmrc, .pypirc, .git-credentials, and cloud configuration files. Once deployed, it operates entirely in memory, avoiding disk detection by masquerading as kernel threads such as kworker or ksoftirqd. The malware employs multiple persistence mechanisms, including systemd, crontab, and shell injection via .bashrc, to maintain long-term access.
QLNX exfiltrates collected credentials to an attacker-controlled server and supports a broad range of commands—up to 58—including file management, process injection, keystroke logging, screenshot capture, and establishing network tunnels. It also features a Pluggable Authentication Module (PAM) backdoor that intercepts plaintext credentials during SSH login and logs session data. The malware employs a two-tier rootkit architecture, combining a userland rootkit using LD_PRELOAD and a kernel eBPF component to conceal processes, files, and network activity from standard tools. Its design aims for stealth and persistent credential theft, enabling attackers to compromise package repositories, cloud environments, and CI/CD pipelines.
Why It Matters
This discovery underscores a critical threat to the software supply chain, as compromised developer credentials can enable attackers to push malicious code to repositories like npm or PyPI, or access cloud infrastructure. The malware’s stealth capabilities and extensive control features make detection difficult, increasing the risk of widespread downstream impacts including data breaches, malicious package distribution, and infrastructure sabotage.
Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
While supply chain attacks have grown in prominence, this is among the first reports of a Linux-based implant specifically targeting developer credentials at this scale. Previous incidents have focused on Windows or cloud infrastructure, but QLNX’s focus on Linux developer environments highlights evolving attacker tactics. The malware’s discovery by Trend Micro adds to ongoing concerns about sophisticated, long-term stealthy threats aimed at software integrity and developer environments.
“QLNX targets developers and DevOps credentials across the software supply chain, extracting secrets from high-value files and enabling supply chain attacks.”
— Aliakbar Zahravi, Trend Micro researcher
“Its capabilities chain together into a coherent attack workflow—arrive, erase from disk, persist through multiple mechanisms, hide at both user and kernel levels, and harvest critical credentials.”
— Ahmed Mohamed Ibrahim, Trend Micro researcher
DevOps credential management software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how QLNX is initially delivered to target systems, as the distribution vector has not been publicly disclosed. Details about the specific threat actors behind the malware are also unknown. Ongoing investigations may reveal further operational details or new variants.
Modern OpenSSH In-Depth: The Complete Secure Shell Guide for SSH Server Configuration, Key Management, Tunneling, SFTP File Transfer, and DevOps Automation.
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security researchers and organizations should monitor for signs of QLNX activity, particularly in developer environments and CI/CD pipelines. Updates to detection signatures and incident response plans are advised. Further analysis may reveal the malware’s distribution methods and potential attribution to threat groups.
Linux Monitoring: A Practical Guide to Linux Monitoring (Modern Cloud & AI Engineering Series Book 5)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How is Quasar Linux RAT likely being delivered?
The exact delivery method remains unconfirmed. It could involve phishing, malicious repositories, or compromised CI/CD pipelines, but further investigation is needed.
What can developers do to protect against this malware?
Implement strict access controls, monitor for unusual activity, verify integrity of development environments, and keep systems updated with the latest security patches.
Is this malware specific to Linux or targeting other platforms?
Current analysis indicates it is Linux-specific, focusing on developer credentials stored in Linux-based configuration files.
Could this malware be used to push malicious packages?
Yes, by harvesting credentials, attackers could potentially push malicious updates or packages to repositories like npm or PyPI, affecting downstream users.
