Researchers have documented a new Linux implant baptized as Quasar Linux (QLNX), designed to compromise developer workstations and DevOps environments with functions that combine rootkit, back door and credentials theft; its design suggests a deliberate approach to supply chain attacks and long-term persistence in machines that have direct access to repositories, container records and cloud credentials.
What makes QLNX particularly dangerous is its hybrid approach: malware runs in memory and erases disk devices to avoid forensic analysis, dynamically compiles components in the victim machine using gcc - including a LD _ PRELOAD module of user space and a kernel-based component of eBPF - and adds multiple automatic start-up mechanisms (from systemd to .bashrc and cron) to ensure that it survives reworks and process removal. It also includes a remote control framework with dozens of commands, memory injection capabilities, file system monitoring, keylogging and collection of SSH keys, cloud tokens and other secrets.
Attacking developer workstations is no coincidence: these machines often store credentials and tokens that allow you to publish packages to npm, PyPI or containers in records, or trigger pipelines on CI / CD with high permissions. An attacker who controls a development environment can, without violating production systems, introduce malicious devices into the supply chain and spread large-scale commitments; therefore the presence of QLNX should be read as a reminder of the fragility of the human link and the local environment in software security.
The detection at the time of the report is low, which complicates containment: few antivirus solutions still detect the binary and the phileless nature of the threat makes traditional scanning difficult. Therefore, defenses should focus on prevention and detection measures specific to developers and pipelines: minimize the persistence of credentials in personal machines, force the use of ephemeral and short-lived credentials for automated processes, apply multifactor authentication in all access to repositories and records, and segregate development environments from environments where sensitive secrets reside.
At the operational level it is appropriate to audit commitment signals that QLNX frequently exploits: to review unauthorised units and services, unusual entries in crontab, the presence of LD _ PRELOAD or / etc / ld.so.preload modified, changes in PAM modules or in / etc / pam.d, and abnormal process activity supplanting legitimate names. It is also recommended to implement endpoint behavior detection and visibility at the kernel level, as well as to use rules that seek unexpected local compilations (gcc invoked by unusual processes) or unsigned eBPF loads. If there is a suspicion of commitment, assume that local secrets were exfiltered and rotated immediately; rebuild from clean images and restore keys from safe sources.
Organizations should incorporate supply chain controls: sign artifacts, require CI reviews and signatures, run build-ups in isolated and ephemeral runners, and scan units before publication. Public documentation and tools provide practical guides to hardening pipelines and repositories; for example, GitHub's resources on supply chain security explain good practices to protect workflows and dependencies https: / / docs.github.com / en / code-security / supply-chain-security and the efforts of government agencies and communities (such as CISA) contain recommendations on risk management in the software supply chain https: / / www.cisa.gov / supply-chain.
In short, QLNX is not just another Trojan: it is a complex kit designed to hide, persist and abuse developer credentials to facilitate attacks on the supply chain. The effective response is to combine hygiene of secrets, segmentation of development environments, behavioural-based detection and replicable and signed building practices; without these measures, the teams will remain a privileged target for campaigns that seek to pollute legitimate software from their origin.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...