A new Linux implant named Quasar Linux RAT (QLNX) is targeting developers’ systems to establish a silent foothold and support a broad post‑compromise capability, including credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.
According to Trend Micro, QLNX targets developers’ and DevOps credentials across the software supply chain, with its credential harvester capable of extracting secrets from files such as .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config[.]json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files, enabling potential abuse in publishing pipelines and cloud access.
The malware operates filelessly from memory, masquerades as a kernel thread, and can profile the host to detect containers, wipe logs, and persist via at least seven methods including systemd, crontab, and .bashrc shell injection; it can exfiltrate data to attacker‑controlled infrastructure and await C2 commands. A PAM inline‑hook backdoor intercepts plaintext credentials during authentication events, while a second PAM module logs service names, usernames, and tokens.
Trend Micro notes a two‑tier rootkit architecture with an LD_PRELOAD userland component and a kernel‑level eBPF element to hide processes, files, and ports, with the operators able to issue 58 distinct commands and even run a P2P mesh network. The 8 May 2026 report underscores the long‑term stealth and credential theft capabilities of QLNX, which could enable attackers to procure credentials across multiple layers of the software supply chain.