New Linux Malware "Quasar Linux" (QLNX) Targets Developers in Supply Chain Attacks
Cybersecurity researchers have identified a highly sophisticated Linux remote access trojan (RAT) dubbed Quasar Linux (QLNX), a previously undocumented malware designed to infiltrate developer and DevOps workstations. The threat actor behind QLNX aims to steal credentials, enabling large-scale supply chain attacks by compromising trusted open-source packages on platforms like npm and PyPI.
Unlike conventional malware, QLNX functions as a full-fledged Linux implant, combining remote access, stealth, persistence, and credential harvesting in a single payload. Its minimal detection footprint allows attackers to maintain long-term, undetected access to infected systems.
How QLNX Operates
QLNX employs advanced evasion techniques to avoid detection:
- Fileless execution: The malware copies itself into memory, deletes its original file, and re-executes from RAM, leaving no disk-based traces.
- Process spoofing: It disguises itself as legitimate kernel threads (e.g., watchdog processes) to blend in with normal system activity.
- Environment wiping: The malware erases execution context variables to hinder forensic analysis.
Credential Harvesting & Supply Chain Risks
QLNX’s primary objective is stealing high-value credentials from developer environments. It targets critical configuration files and authentication tokens, including:
.npmrc,.pypirc,.git-credentials- AWS credentials (
~/.aws/credentials) - Kubernetes configurations (
~/.kube/config) - Docker Hub logins
- Environment variables (
.env)
Additionally, QLNX deploys a malicious PAM (Pluggable Authentication Module) with inline hooking to intercept plaintext passwords during authentication. Stolen credentials are encrypted and hidden in system log directories, allowing attackers to bypass security controls and access cloud infrastructure.
A single compromised developer account can enable threat actors to:
- Push trojanized updates to millions of users
- Pivot through CI/CD pipelines
- Establish backdoors in production environments
Resilient Infrastructure & Detection Challenges
QLNX includes a peer-to-peer mesh networking capability, turning infected machines into a resilient botnet. This makes complete eradication across an enterprise difficult, as the malware can persist even if some nodes are cleaned.
Security platforms leveraging AI-driven threat hunting recently flagged QLNX, highlighting the limitations of traditional signature-based detection. Given the lack of uniform security controls in developer environments, such implants remain a persistent risk to software supply chains.
Source: https://cyberpress.org/qlnx-steals-developer-credentials/
PyPI TPRM report: https://www.rankiteo.com/company/pypi
npm TPRM report: https://www.rankiteo.com/company/npm-inc-
"id": "pypnpm1778070456",
"linkid": "pypi, npm-inc-",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Potentially millions (via '
'trojanized packages)',
'industry': 'Technology, Software Development, Cloud '
'Services',
'type': 'Developers, DevOps teams, open-source package '
'maintainers'}],
'attack_vector': 'Compromised developer workstations, malicious open-source '
'packages',
'data_breach': {'data_encryption': 'Stolen data is encrypted before '
'exfiltration',
'data_exfiltration': 'Encrypted and hidden in system log '
'directories',
'file_types_exposed': '.npmrc, .pypirc, .git-credentials, '
'~/.aws/credentials, ~/.kube/config, '
'.env',
'personally_identifiable_information': 'Potentially (via '
'stolen credentials '
'and PAM hooking)',
'sensitivity_of_data': 'High (PII, cloud access keys, CI/CD '
'secrets)',
'type_of_data_compromised': 'Credentials, authentication '
'tokens, plaintext passwords, '
'configuration files'},
'description': 'Cybersecurity researchers have identified a highly '
'sophisticated Linux remote access trojan (RAT) dubbed Quasar '
'Linux (QLNX), a previously undocumented malware designed to '
'infiltrate developer and DevOps workstations. The threat '
'actor behind QLNX aims to steal credentials, enabling '
'large-scale supply chain attacks by compromising trusted '
'open-source packages on platforms like npm and PyPI. QLNX '
'functions as a full-fledged Linux implant, combining remote '
'access, stealth, persistence, and credential harvesting in a '
'single payload with a minimal detection footprint.',
'impact': {'data_compromised': 'Credentials (npm, PyPI, AWS, Kubernetes, '
'Docker Hub, environment variables), '
'authentication tokens, plaintext passwords',
'identity_theft_risk': 'High (stolen credentials, PAM hooking)',
'operational_impact': 'Potential trojanized updates to millions of '
'users, backdoors in production environments',
'systems_affected': 'Developer and DevOps workstations, CI/CD '
'pipelines, cloud infrastructure'},
'initial_access_broker': {'backdoors_established': 'Potential (via trojanized '
'packages and cloud '
'backdoors)',
'high_value_targets': 'Developer workstations, '
'CI/CD pipelines, cloud '
'infrastructure'},
'lessons_learned': 'Limitations of traditional signature-based detection, '
'risks of uniform security controls in developer '
'environments, persistence of supply chain threats',
'motivation': 'Credential theft, supply chain compromise, long-term access to '
'cloud infrastructure',
'post_incident_analysis': {'corrective_actions': 'AI-driven threat hunting, '
'enhanced monitoring, secure '
'credential management, '
'CI/CD pipeline security',
'root_causes': 'Lack of uniform security controls '
'in developer environments, '
'reliance on signature-based '
'detection, unsecured credential '
'storage'},
'recommendations': 'Enhance monitoring of developer workstations, implement '
'AI-driven threat hunting, secure CI/CD pipelines, enforce '
'least-privilege access, audit open-source package '
'dependencies',
'references': [{'source': 'Cybersecurity research reports'}],
'response': {'enhanced_monitoring': 'AI-driven threat hunting',
'third_party_assistance': 'AI-driven threat hunting platforms'},
'title': "New Linux Malware 'Quasar Linux' (QLNX) Targets Developers in "
'Supply Chain Attacks',
'type': 'Supply Chain Attack, Remote Access Trojan (RAT)'}