Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
Summary
Hide ▲
Show ▼
The Quasar Linux (QLNX) RAT has been identified as a Linux backdoor that can steal developer credentials and compromise software-supply-chain publishing pipelines. It uses a modular architecture with multiple persistence paths and detection evasion to remain embedded on infected systems. The malware also includes a rootkit and PAM backdoor components that harvest authentication data while hiding its presence. Its targets include AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI, putting both developer workstations and release infrastructure at risk.
Related Happenings
Deps credential stealer in hijacked Arch AUR builds
Malware Activity
H score3
First: 12.06.2026 22:24
Last: 12.06.2026 22:24
Sources 1
About this happening:
**Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
Deps credential stealer in hijacked Arch AUR builds
Malware ActivityAbout this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
H score34
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Timeline
-
06.05.2026 12:48 2 articles · 2mo ago
Quasar Linux (QLNX) disclosure and analysis
Initial DisclosureTrend Micro identifies Quasar Linux (QLNX) as a Linux RAT aimed at software developers and supply-chain publishing environments, noting that it steals developer credentials, keys, and tokens for AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI. The malware runs in memory, spoofs its process name, deploys a PAM backdoor, uses LD_PRELOAD and eBPF-based hiding and persistence, and supports 58 commands for remote access and credential theft.
Show sources
- Sophisticated Quasar Linux RAT Targets Software Developers — www.securityweek.com — 06.05.2026 12:48
- Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise — thehackernews.com — 08.05.2026 14:00