Trend Micro has detailed a Linux implant that specifically points to development and operations environments, baptized as Quasar Linux RAT (QLNX); its design combines systematic theft of credentials with advanced concealment techniques, making it a particularly dangerous threat to the software supply chain.
Unlike many general malware pieces, QLNX focuses on removing secrets that usually reside on developer and pipeline machines: NPM and PyPI tokens, Git and cloud credentials, .env files, Kubernetes and Docker settings, among others. Obtaining any of these elements allows an attacker to publish malicious packages, take control of cloud infrastructure or move laterally through CI / CD, with the potential to cause a "domino effect" in projects and dependencies.
What makes QLNX particularly disturbing is its combination of techniques: fileless execution from memory, camouflage as kernel threads (e.g. kworker), and a redundant persistence architecture (systemd, crontab, modifications in .bashrc and others). It also uses two rootkit levels - a routkit in user space using LD _ PRELOAD and a kernel component that uses eBPF to hide processes, files and ports - and a backdoor that intercepts credentials in PAM authentication processes. This mixture allows you to remain silent for long periods and capture clear credentials just when the user is authenticated.
From the operational point of view, QLNX supports dozens of remote commands to manage files, inject code, take pants, record keys and establish TCP / SOCKS tunnels, making it a complete tool for remote control and exfiltration. You can also load modules in each dynamically linked process to capture tokens, and maintain persistent communication with your TCP, HTTPS and HTTP control infrastructure.
The implications for developers, package holders and security equipment are clear: a committed machine not only risks the local code, but can pollute public repositories and automated pipelines. An attacker with NPM or PyPI publication permits can introduce malicious versions that spread to many projects and users.
To mitigate the immediate risk, it is essential protect secrets and assume that any workstation can be objective. Practical measures include rotating and revoking potentially exposed tokens, moving credentials to managed vaults (secret managers) with temporary and limited access, and replacing long-term tokens with federated ID mechanisms (e.g. OIDC) that avoid storing secrets in local files.
From the point of view of detection and response, it is appropriate to review artifacts and behaviors that QLNX abuses: to verify LD _ PRELOAD variables and suspicious PAM modules, to audit unusual entries in systemd and cron, to check the presence of threads / processes that imitate the kernel, and to monitor the use of eBPF or BPF maps that are not justified by legitimate tools. Modern EDR solutions and integrity monitoring can help, but it is also necessary isolate build agents and use ephemeral environments to minimize the possibility of persistence and theft of credentials.
The medium-term strategy should focus on reducing supply chain exposure: requiring package signature, enabling unit review processes, implementing reproducible buildings and applying minimum access controls in pipelines. For critical organizations, the response to such an incident may require redoing building agents and compromised stations from reliable media, and conducting a forensic investigation that includes memory capture to detect phileless executions.
QLNX highlights two trends that we must address with priority: on the one hand, the exploitation of credentials stored in development environments; on the other, the use of legitimate technologies (LD _ PRELOAD, eBPF, PAM) as means of concealment. In order to deepen how eBPF works and why its abuse complicates detection, the documentation and resources can be consulted at ebpf.io. To understand the techniques of credentials theft and the attack patterns that defence teams must monitor, MITRE's ATT & CK matrix is a useful resource: https: / / attack.mitre.org / techniques / T1552 /.
In short, QLNX is not just another malware for Linux: it is a reminder that developers and their machines are part of the security perimeter. The combination of technical controls, good practice in the management of secrets and hardening processes in CI / CD is the only realistic way to limit the scope of threats that our tokens and pipelines seek to spread.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...