A previously undocumented Linux remote access trojan dubbed Quasar Linux RAT (QLNX) is systematically targeting software developers to compromise the entire supply chain. According to Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim, the malware specifically harvests credentials from high-value targets including npm tokens, PyPI credentials, Git repositories, AWS accounts, Kubernetes configurations, Docker registries, Vault tokens, Terraform credentials, and GitHub CLI tokens. The compromise of a single package maintainer could enable attackers to push malicious code that propagates to thousands of downstream users.
Credential Harvesting Across the Development Stack
QLNX's credential harvester targets the critical authentication files that developers rely on daily. The malware extracts secrets from .npmrc files containing npm publishing tokens, .pypirc files with Python Package Index credentials, .git-credentials for repository access, .aws/credentials for cloud infrastructure, .kube/config for Kubernetes clusters, .docker/config.json for container registries, .vault-token for secrets management, Terraform state files, GitHub CLI authentication tokens, and .env files containing application secrets.
An attacker who gains access to these credentials can push poisoned packages to npm or PyPI registries that millions of developers consume. They can access cloud infrastructure hosting production applications, pivot through CI/CD pipelines to inject malicious code into automated deployment workflows, and establish persistence across the entire software development lifecycle.
Compromise of a single package maintainer's credentials allows attackers to poison trusted software packages, potentially affecting thousands of downstream applications and millions of users. This represents a multiplier effect where one breach cascades throughout the software supply chain.
Fileless Execution and Advanced Evasion
QLNX operates entirely from memory without writing executables to disk, making it extremely difficult to detect through traditional file-based scanning. The malware masquerades as legitimate kernel threads with names like kworker or ksoftirqd—processes that system administrators expect to see running on Linux systems. It profiles the host environment to detect containerized deployments, wipes system logs to eliminate forensic evidence, and employs seven different persistence mechanisms to ensure it survives reboots and system updates.
The persistence methods include systemd service units for automatic startup, crontab entries for scheduled execution, .bashrc shell injection that triggers on user login, and four additional techniques. This redundancy ensures that even if defenders discover and remove one persistence mechanism, the malware maintains its foothold through the others.
Dual-Layer Rootkit Architecture
QLNX implements a sophisticated two-tiered rootkit system to hide from detection. The userland component leverages Linux's LD_PRELOAD mechanism to intercept system calls and hide the implant's artifacts, processes, and network connections from standard monitoring tools. The kernel-level component uses eBPF (extended Berkeley Packet Filter) to operate at a deeper system level, concealing processes from ps commands, files from ls output, and network ports from netstat queries.
The malware also deploys two PAM (Pluggable Authentication Module) backdoors. The first uses inline hooking to intercept plaintext credentials during authentication events and logs outbound SSH session data. The second PAM component automatically loads into every dynamically linked process on the system, extracting service names, usernames, and authentication tokens across all applications. This comprehensive credential theft capability ensures attackers capture authentication data regardless of which services developers use.
Command and Control Infrastructure
After establishing initial access through unknown delivery methods, QLNX enters a persistent operational phase. It continuously attempts to establish and maintain communication with attacker-controlled command-and-control servers using multiple protocols: raw TCP for low-level network access, HTTPS for encrypted communication that blends with normal web traffic, and HTTP as a fallback option.
The malware supports 58 distinct commands that provide operators complete control over compromised systems. These commands enable remote shell execution, file system manipulation, process injection, screenshot capture, keystroke logging, SOCKS proxy establishment, TCP tunnel creation, Beacon Object File execution, and management of peer-to-peer mesh networks between infected hosts.
QLNX's 58 command repertoire includes capabilities typically found in advanced persistent threat toolkits: memory-resident execution, multi-protocol C2 communication, kernel-level hiding, credential interception, and network pivoting. The combination of these features enables sophisticated, long-term compromises.
Supply Chain Attack Workflow
According to Trend Micro, what makes QLNX particularly dangerous is how its capabilities chain together into a coherent attack workflow. The malware arrives on target systems through currently unknown delivery mechanisms, immediately erases itself from disk while executing from memory, establishes six redundant persistence mechanisms, hides at both userspace and kernel levels using dual rootkit architecture, and systematically harvests the credentials that enable supply chain compromise.
This workflow targets the most critical assets in developer environments—the credentials that control software distribution. An attacker who successfully deploys QLNX against a maintainer of a popular npm or PyPI package gains the ability to push malicious updates that will be automatically downloaded and incorporated into thousands of applications. The poisoned packages can contain backdoors, data theft mechanisms, or additional malware that spreads further downstream.
Detection and Mitigation Strategies
Detecting QLNX requires advanced monitoring beyond traditional antivirus. Organizations should implement the following security controls:
- Deploy behavioral detection systems that identify anomalous process activity, particularly processes masquerading as kernel threads
- Monitor for LD_PRELOAD usage and unauthorized eBPF programs that could indicate rootkit deployment
- Implement PAM monitoring to detect authentication module modifications or suspicious credential access patterns
- Enable comprehensive logging with off-system storage to prevent attackers from wiping evidence
- Scan for persistence mechanisms across systemd, cron, shell profiles, and other startup locations
- Use hardware-based attestation to detect kernel-level compromises that bypass userland detection
- Implement network monitoring for unusual C2 traffic patterns over TCP, HTTP, and HTTPS protocols
Development organizations should adopt security practices that limit credential exposure. Store secrets in dedicated vaults rather than configuration files, implement multi-factor authentication for package registry publishing, require code signing for all package updates, and segregate production credentials from development environments. Regular security audits of developer workstations can identify compromised credentials before attackers exploit them for supply chain attacks.
The emergence of QLNX demonstrates that threat actors increasingly recognize developers as high-value targets. A single compromised developer account can provide access to code repositories, cloud infrastructure, and software distribution channels that affect millions of downstream users. Organizations must treat developer security with the same priority as production infrastructure protection, implementing defense-in-depth strategies that assume compromise and limit the blast radius of credential theft.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us