Close Menu
    What's Hot

    Wildfire Smoke Shutters Parks and Shuffles Visitors

    Jensen Huang says the more AI is used, the more ‘we have to hire’

    Opinion | A Test Isn’t Racist. Assumptions About Black Kids Can Be.

    Facebook X (Twitter) Instagram
    Trending
    • Wildfire Smoke Shutters Parks and Shuffles Visitors
    • Jensen Huang says the more AI is used, the more ‘we have to hire’
    • Opinion | A Test Isn’t Racist. Assumptions About Black Kids Can Be.
    • Iran condemns ‘barbaric’ US attack near children’s cancer hospital | US-Israel war on Iran News
    • Orphanage Fire Kills Eleven in Algeria
    • Everyone Thinks They Have the Diarrhea Parasite
    • Standard Lithium Ltd. (SLI:CA) Shareholder/Analyst Call Prepared Remarks Transcript
    • Oliver Bearman ‘flattered’ by Red Bull rumours amid continued uncertainty over future of Max Verstappen with team | F1 News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

    adminBy adminMay 8, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananMay 08, 2026Linux / DevOps

    Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

    A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers’ systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.

    “QLNX targets developers and DevOps credentials across the software supply chain,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware.

    “Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines.”

    Cybersecurity

    The malware’s ability to systematically harvest a wide range of credentials poses a severe risk to developer environments. A threat actor who successfully deploys QLNX against a package maintainer gains unauthorized access to their publishing pipeline, allowing the attacker to push poisoned versions that can lead to cascading downstream impacts.

    QLNX executes filelessly from memory, masquerades itself as a kernel thread (e.g., kworker or ksoftirqd), and is capable of profiling the host to detect containerized environments, wiping system logs to cover up the tracks, and setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection. 

    Furthermore, it exfiltrates the collected data to an attacker-controlled infrastructure, and receives commands that make it possible to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and even manage a peer-to-peer (P2P) mesh network.

    Exactly how the malware is delivered is unclear. However, once a foothold is established, it enters a primary operational phase by running a persistent loop that continuously attempts to establish and maintain communication with the command-and-control (C2) server over raw TCP, HTTPS, and HTTP. In total, QLNX supports 58 distinct commands that give the operators complete control of the compromised host.

    QLNX also comes with a Pluggable Authentication Module (PAM) inline-hook backdoor that intercepts plaintext credentials during authentication events, logs outbound SSH session data, and transmits the data to the C2 server. The malware also supports a second PAM-based credentials logger that’s automatically loaded into every dynamically linked process to extract the service name, username, and authentication token. 

    Cybersecurity

    It employs a two-tiered rootkit architecture: a userland rootkit deployed through the Linux dynamic linker’s LD_PRELOAD mechanism to ensure that the implant’s artifacts and processes stay hidden. There also exists a kernel-level eBPF component that uses BPF subsystem to conceal processes, files, and network ports from standard userland tools such as ps, ls, and netstat upon receiving instructions from the C2 server.

    “The QLNX implant was built for long-term stealth and credential theft,” Trend Micro said. “What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.”

    Chain Compromise Credentials developer Linux Quasar RAT Software Steals Supply
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleTech layoffs this week: Cloudflare, Coinbase, Upwork, and others point to AI as they slash jobs
    Next Article Nanoleaf bets its future on robots, red light therapy, and AI
    admin
    • Website

    Related Posts

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    July 16, 2026

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    July 16, 2026

    New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Wildfire Smoke Shutters Parks and Shuffles Visitors

    Jensen Huang says the more AI is used, the more ‘we have to hire’

    Opinion | A Test Isn’t Racist. Assumptions About Black Kids Can Be.

    Iran condemns ‘barbaric’ US attack near children’s cancer hospital | US-Israel war on Iran News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by