ACCORDING to Trend Micro, a recently identified Linux backdoor dubbed Quasar Linux (QLNX) targets software developers with a modular, in-memory RAT designed for remote access, surveillance, and credential exfiltration. The implant focuses on stealing developer credentials across the software supply chain, including AWS credentials and configurations, Kubernetes tokens, Docker Hub credentials, Git access tokens and configurations, NPM authentication tokens, and PyPI API keys.
Trend Micro notes that a successful deployment against a package maintainer could allow the attackers to trojanise packages, inject backdoors into build artefacts, or pivot into cloud environments where production infrastructure lives. The malware uses multiple persistence and detection-evasion techniques, contains a rootkit, and includes a Pluggable Authentication Module backdoor to harvest credentials, along with two PAM backdoor implementations.
It can persist in six different ways and supports 58 commands, enabling actions from harvesting information to keystroke logging and remote command execution. The findings were published on 6 May 2026.