VYPR
researchPublished May 4, 2026· Updated May 20, 2026· 2 sources

New 'Quasar Linux RAT' Targets Developers to Compromise Software Supply Chains

A sophisticated, fileless Linux Remote Access Trojan (RAT) named Quasar Linux RAT (QLNX) is actively targeting developer environments to harvest credentials and facilitate software supply chain compromises.

A newly discovered Linux-based Remote Access Trojan (RAT), dubbed Quasar Linux RAT (QLNX), has been identified targeting developers and DevOps professionals. Researchers at Trend Micro report that the malware is specifically engineered to compromise the software supply chain by harvesting high-value credentials from developer workstations The Hacker News.

The malware functions as a sophisticated, fileless implant that executes directly from memory. To maintain stealth, it masquerades as legitimate kernel threads, such as kworker or ksoftirqd. Its primary objective is the systematic theft of secrets, including .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, and GitHub CLI tokens The Hacker News. By compromising these assets, attackers can gain unauthorized access to CI/CD pipelines, potentially allowing them to inject malicious code into software packages distributed via public registries.

QLNX employs a multi-layered architecture to ensure persistence and evasion. It utilizes seven distinct persistence mechanisms, including systemd services, crontab entries, and .bashrc shell injections. For concealment, the malware uses a two-tiered rootkit approach: a userland rootkit leveraging the LD_PRELOAD mechanism to hide artifacts, and a kernel-level eBPF component that obscures processes, files, and network ports from standard monitoring tools like ps, ls, and netstat The Hacker News.

The implant's operational capabilities are extensive, supporting 58 distinct commands. These include keylogging, clipboard monitoring, file manipulation, and network tunneling. Furthermore, QLNX features a Pluggable Authentication Module (PAM) inline-hook backdoor that intercepts plaintext credentials during authentication events and logs outbound SSH session data. It also includes a second PAM-based logger that injects into dynamically linked processes to extract usernames and authentication tokens The Hacker News.

While the initial delivery vector for QLNX remains unknown, once established, the malware maintains a persistent connection to its command-and-control (C2) server using raw TCP, HTTPS, or HTTP. It is also capable of managing a peer-to-peer (P2P) mesh network and executing Beacon Object Files (BOFs) to further its reach within a compromised environment The Hacker News.

The emergence of QLNX highlights a growing trend of sophisticated malware tailored specifically for the software development lifecycle. By chaining together credential harvesting, kernel-level stealth, and persistence, the malware is designed for long-term espionage and supply chain manipulation. Security teams should monitor for anomalous kernel thread activity and unexpected modifications to authentication modules or environment configuration files to detect potential QLNX infections The Hacker News.

Trend Micro's deep-dive analysis reveals that QLNX carries embedded C source code for its PAM backdoor and LD_PRELOAD rootkit as string literals, dynamically compiling them on the target host via gcc. The credential harvester specifically targets developer secrets from files such as .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, and .docker/config.json, enabling supply-chain compromise through NPM and PyPI registries. Additionally, the RAT incorporates a P2P mesh networking capability that transforms individual implants into a resilient, hard-to-eradicate network.

Synthesized by Vypr AI
New 'Quasar Linux RAT' Targets Developers to Compromise Software Supply Chains · VYPR