Find notable cyber news and cases, enriched with sources, timelines, and signals.

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

The Quasar Linux (QLNX) RAT has been identified as a Linux backdoor that can steal developer credentials and compromise software-supply-chain publishing pipelines. It uses a modular architecture with multiple persistence paths and detection evasion to remain embedded on infected systems. The malware also includes a rootkit and PAM backdoor components that harvest authentication data while hiding its presence. Its targets include AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI, putting both developer workstations and release infrastructure at risk.

Related Happenings

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
H score34 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Timeline

  1. 06.05.2026 12:48 2 articles · 2mo ago

    Quasar Linux (QLNX) disclosure and analysis

    Initial Disclosure

    Trend Micro identifies Quasar Linux (QLNX) as a Linux RAT aimed at software developers and supply-chain publishing environments, noting that it steals developer credentials, keys, and tokens for AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI. The malware runs in memory, spoofs its process name, deploys a PAM backdoor, uses LD_PRELOAD and eBPF-based hiding and persistence, and supports 58 commands for remote access and credential theft.

    Show sources