Quasar Linux RAT (QLNX) analysis of developer credential theft and two-tier rootkit hiding
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers identified Quasar Linux RAT (QLNX) as a previously undocumented Linux implant built to target developer and DevOps credentials, heightening software supply chain risk. The malware combines credential harvesting, fileless execution, and stealth persistence to stay resident on victim hosts. It can steal secrets from .npmrc, .aws/credentials, and other development files, then use them to compromise package registries, cloud infrastructure, and CI/CD pipelines.
Related Happenings
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
How related:
A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityHow related: A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.
About this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
SmartLoader trojanized Oura MCP Server delivery of StealC
Malware Activity
First: 17.02.2026 14:42
Last: 17.02.2026 14:42
Sources 1
About this happening:
The **SmartLoader** operation is now distributing a **trojanized Oura MCP Server** to drop **StealC**, creating a supply-chain path to steal developer secrets. The rogue package i...
SmartLoader trojanized Oura MCP Server delivery of StealC
Malware ActivityAbout this happening: The **SmartLoader** operation is now distributing a **trojanized Oura MCP Server** to drop **StealC**, creating a supply-chain path to steal developer secrets. The rogue package i...
Timeline
-
08.05.2026 14:00 2 articles · 19d ago
Trend Micro details QLNX developer credential theft and stealth
Technical Analysis UpdateTrend Micro described Quasar Linux RAT (QLNX) as a previously undocumented Linux implant targeting developers' systems and DevOps credentials across the software supply chain. The malware can harvest secrets from files such as .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files, enabling abuse of NPM or PyPI publishing pipelines, cloud infrastructure, and CI/CD pipelines. It also supports fileless memory execution, kernel-thread masquerading, 58 distinct commands over raw TCP, HTTPS, and HTTP, PAM-based credential interception, LD_PRELOAD userland hiding, eBPF-based concealment of processes, files, and network ports, and multiple persistence and tunneling capabilities.
Show sources
- Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise — thehackernews.com — 08.05.2026 14:00
- Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise — thehackernews.com — 08.05.2026 14:00