Bright Nexus

Published on May 9, 2026

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

Severity

Medium

Detail

Cybersecurity researchers have discovered a sophisticated Linux malware implant called Quasar Linux RAT (QLNX) that targets developers and DevOps environments. The malware is designed to steal sensitive credentials, maintain long-term persistence, and compromise software supply chains by accessing cloud services, package repositories, and CI/CD pipelines.

How?

QLNX focuses on harvesting credentials from critical developer files such as .npmrc, .pypirc, .aws/credentials, .git-credentials, Kubernetes configs, Docker files, GitHub CLI tokens, and .env files. By stealing these secrets, attackers could push malicious packages to npm or PyPI registries or gain unauthorized access to cloud infrastructure.

The malware runs filelessly in memory and disguises itself as legitimate Linux kernel threads like kworker to avoid detection. It also wipes system logs and establishes persistence through multiple methods, including:

  • systemd services
  • crontab entries
  • .bashrc shell injection

Once active, QLNX communicates with command-and-control servers over TCP, HTTP, and HTTPS, allowing attackers to execute shell commands, manage files, log keystrokes, capture screenshots, and create SOCKS proxies or network tunnels. It also includes PAM-based backdoors that intercept plaintext login credentials and SSH session data.

To remain hidden, the malware uses a two-layer rootkit approach. A userland rootkit hides files and processes through LD_PRELOAD, while a kernel-level eBPF component conceals processes, files, and network ports from monitoring tools like ps and netstat.

Conclusion

QLNX represents a major threat to developer and DevOps systems because it combines stealth, persistence, and credential theft into a single malware framework. By targeting software supply chains and cloud environments, attackers could compromise organizations at scale through poisoned packages and stolen infrastructure access.

The discovery highlights the growing need for stronger Linux monitoring, credential protection, and security controls around development environments.

Source

https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html