- A new Linux malware, Quasar Linux RAT (QLNX), is stealthily targeting developers to steal credentials for software supply chains.
- The malware can hide itself, harvest credentials from files like .kube/config and .npmrc, and has over 58 commands for complete host control.
- Trend Micro researchers warn its combination of stealth, persistence, and credential theft creates a coherent and dangerous attack workflow.
Security researchers have uncovered a previously undocumented and highly stealthy Linux implant targeting developers, which poses a severe risk to software supply chain security according to a technical analysis by Trend Micro. The malware, codenamed Quasar Linux RAT (QLNX), aims to establish a silent foothold on systems to harvest critical credentials.
Consequently, it extracts secrets from high-value developer files like .npmrc, .pypirc, and .aws/credentials. This compromise could allow attackers to push malicious packages or access cloud infrastructure directly.
QLNX executes filelessly from memory and expertly hides by masquerading as a kernel thread. It also employs a two-tiered rootkit, using both a userland component and a kernel-level eBPF module to conceal its activity.
The implant is built for long-term stealth and supports 58 distinct commands for complete control. These commands enable shell execution, file management, keylogging, and even the establishment of network tunnels.
Furthermore, its PAM inline-hook backdoor intercepts plaintext credentials during logins. “The QLNX implant was built for long-term stealth and credential theft,” Trend Micro stated, highlighting its coherent and dangerous attack chain.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
