Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
First reported
Last updated
Happening score
H score 16
2 unique sources, 2 articles

Summary

Hide ▲

The Quasar Linux (QLNX) RAT has been identified as a Linux backdoor that can steal developer credentials and compromise software-supply-chain publishing pipelines. It uses a modular architecture with multiple persistence paths and detection evasion to remain embedded on infected systems. The malware also includes a rootkit and PAM backdoor components that harvest authentication data while hiding its presence. Its targets include AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI, putting both developer workstations and release infrastructure at risk.

Related Happenings

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Timeline

  1. 06.05.2026 12:48 2 articles · 21d ago

    Quasar Linux (QLNX) disclosure and analysis

    Initial Disclosure

    Trend Micro identifies Quasar Linux (QLNX) as a Linux RAT aimed at software developers and supply-chain publishing environments, noting that it steals developer credentials, keys, and tokens for AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI. The malware runs in memory, spoofs its process name, deploys a PAM backdoor, uses LD_PRELOAD and eBPF-based hiding and persistence, and supports 58 commands for remote access and credential theft.

    Show sources
    Open in new tab