NewsSecurity

Quasar Linux RAT Targets Developer Credentials: Check Now

15 views0
Quasar Linux RAT QLNX targeting developer credential dotfiles in a supply chain attack - ByteIota
QLNX (Quasar Linux RAT) targets developer credential files to enable supply chain attacks
ByteBotBy
Share

A previously undocumented Linux RAT named QLNX — short for Quasar Linux — is quietly targeting developer workstations. Its goal isn’t ransomware or botnet recruitment. It’s stealing the dotfiles that let you push packages to npm, upload to PyPI, and access your production AWS environment. Trend Micro’s GReAT team disclosed the Quasar Linux RAT in early May 2026 and noted only four AV engines detected it at the time. If you run Linux as your dev machine, your standard defenses probably would not catch it.

It Doesn’t Want Your Passwords — It Wants Your Tokens

QLNX skips the usual credential targets like /etc/shadow or browser-stored passwords. It goes straight for the files developers actually use to ship code:

  • ~/.npmrc — npm registry publish tokens
  • ~/.pypirc — PyPI upload credentials
  • ~/.git-credentials — Git authentication tokens
  • ~/.aws/credentials — AWS access keys
  • ~/.kube/config — Kubernetes cluster credentials
  • ~/.docker/config.json — container registry tokens
  • ~/.vault-token — HashiCorp Vault access
  • ~/.terraform.d/credentials.tfrc.json — Terraform Cloud tokens
  • GitHub CLI tokens and project-level .env files

These aren’t just your credentials — they’re your publishing rights. A stolen .npmrc token doesn’t just compromise your machine. It gives an attacker the ability to push a new version of every package you maintain to a registry that millions of developers pull from automatically.

Why You Won’t See It Coming

QLNX uses three techniques that make it genuinely hard to detect on a standard developer setup. First, it runs filelessly — no binary sits on disk after initial deployment. Second, it names its processes after legitimate kernel threads: kworker/0:0 and ksoftirqd/0. These are names that look entirely normal in a process list unless you know that real kernel threads operate in a separate PID namespace. Third, it deploys an eBPF rootkit that hides its processes, files, and network connections at the kernel level. Traditional antivirus does not reach there.

“A single compromised developer workstation could give the attacker the ability to publish trojanized packages to NPM or PyPI, inject backdoors into container images, or pivot from a personal laptop into production cloud environments.”

Trend Micro GReAT Team

Seven Ways It Stays Installed

Rebooting won’t help. QLNX installs persistence via seven mechanisms simultaneously: an LD_PRELOAD entry in /etc/ld.so.preload, a systemd service, a crontab entry, an init.d script, XDG autostart, .bashrc injection, and a PAM backdoor.

The PAM backdoor deserves special attention. It intercepts plaintext credentials during every authentication event on the machine, including SSH logins, and transmits them to the attacker’s C2 server. It also installs a master password bypass — meaning the attacker can authenticate to your system regardless of any password changes you make afterward. The backdoor compiles itself on the target host from embedded C source code using the gcc binary already on your system, then loads via /etc/ld.so.preload.

One Developer, Millions of Downstream Victims

The pattern is not new, but the tooling keeps getting more sophisticated. The LiteLLM attack in March 2026 used stolen developer credentials to trojanize a Python package with 3.4 million daily downloads. The Mini Shai-Hulud campaign in May 2026 used stolen npm tokens to push malicious versions of 84 @tanstack packages within six minutes. QLNX is designed to collect those credentials at scale.

Developer machines are the target because they sit at the intersection of personal security posture and production publishing access. Most are not covered by enterprise EDR. Most have credentials stored in plaintext dotfiles. Most developers are not auditing /etc/ld.so.preload on a weekly basis — which is exactly what QLNX is counting on.

Check Your Machine Now

If you run Linux as your primary development environment, run these checks:

# Should be empty on most systems — anything here warrants investigation
cat /etc/ld.so.preload

# Check for unexpected crontab entries
crontab -l

# Audit PAM configuration for unauthorized modules
ls -la /etc/pam.d/

# Real kernel threads operate in kernel PID namespace — flag user processes with these names
ps aux | grep -E "kworker|ksoftirqd"

Then act on what you find. Revoke and reissue your npm tokens in the npm registry settings. Rotate AWS access keys in IAM. Delete and regenerate PyPI API tokens. If anything looked suspicious, treat every credential file in your home directory as compromised and rotate accordingly.

Trend Micro has published IOCs and SOC Prime has released SIGMA detection rules for QLNX covering LD_PRELOAD anomalies and suspicious PAM modifications. If you run Falco or auditd on your development infrastructure, those rules are worth deploying today.

QLNX is a reminder that the supply chain attack surface now starts in your home directory. The full Trend Micro GReAT technical analysis is worth reading in detail if you maintain any public packages or shared infrastructure.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News