VYPR
researchPublished May 6, 2026· Updated May 17, 2026· 1 source

Sophisticated 'Quasar Linux' RAT Targets Developers to Infiltrate Software Supply Chain

A sophisticated Linux-based Remote Access Trojan dubbed Quasar Linux (QLNX) has been identified targeting software developers to steal cloud, repository, and package-publishing credentials.

A sophisticated Linux-based Remote Access Trojan (RAT) dubbed "Quasar Linux" (QLNX) has been identified by researchers at Trend Micro, specifically engineered to compromise software developers and infiltrate the software supply chain. The malware is designed to harvest high-value credentials, including AWS configurations, Kubernetes tokens, Docker Hub credentials, Git access tokens, NPM authentication tokens, and PyPI API keys. By gaining control over a developer's environment, attackers can potentially inject malicious code into build artifacts or pivot into production cloud infrastructure SecurityWeek.

The technical architecture of QLNX is highly modular and emphasizes stealth. Once executed, the malware operates primarily in memory, spoofs its process name, and deletes its original binary from the disk to minimize its forensic footprint. To maintain long-term access, the RAT employs six distinct persistence mechanisms, including the use of crontab entries, desktop entries, init scripts, and service files. Furthermore, it utilizes a two-tier rootkit approach: userspace hooks are deployed via the LD_PRELOAD shared library, while an eBPF rootkit controller manages kernel-level BPF maps to hide malicious processes, files, and network ports from standard system monitoring tools SecurityWeek.

A core component of the malware's credential-harvesting capability is its Pluggable Authentication Module (PAM) backdoor. QLNX features two separate PAM implementations: one designed to capture plaintext credentials from authentication events and provide a master password bypass, and another that loads into dynamically linked processes to extract usernames and authentication tokens. Beyond these, the RAT supports 58 distinct commands, enabling operators to perform system reconnaissance, log keystrokes, capture screenshots, and use stolen SSH credentials to move laterally to remote hosts SecurityWeek.

The threat posed by QLNX is significant due to its ability to facilitate supply chain attacks. By compromising a package maintainer, an attacker can silently trojanize software packages, effectively turning trusted developer accounts into distribution vectors for further malicious activity. Trend Micro notes that the danger lies in the malware's coherent attack workflow, which chains together advanced evasion, kernel-level concealment, and targeted credential theft to ensure the implant remains undetected for extended periods SecurityWeek.

As of the current reporting, there are no specific patches or vendor advisories listed, as the threat is a modular malware implant rather than a single software vulnerability. Organizations and individual developers are encouraged to monitor for unauthorized changes to system configuration files and to scrutinize authentication logs for signs of PAM-related anomalies. The emergence of QLNX highlights a growing trend of sophisticated, multi-stage malware specifically tailored to exploit the trust inherent in modern software development pipelines SecurityWeek.

Synthesized by Vypr AI