A new Linux malware implant named Quasar Linux (QLNX) targets developers via supply-chain vectors like npm, PyPI, and Docker, deploying a sophisticated in-memory RAT with rootkit, credential-stealing, and surveillance modules for persistent, undetected access. The threat operates by dynamically compiling its components on the infected host and employs multiple evasion techniques, including log wiping and process spoofing. By compromising developer workstations, attackers aim to harvest credentials and gain access to software delivery pipelines.
Malware , Threat Intelligence , DevOps New Quasar Linux implant targets developers with rootkit and backdoor capabilities May 8, 2026 Share By SC Staff (Adobe Stock) As reported by Bleeping Computer, a new Linux implant named Quasar Linux (QLNX) has been identified, specifically targeting developers' systems with a sophisticated combination of rootkit, backdoor, and credential-stealing functionalities. QLNX is designed for stealth and long-term persistence, operating in-memory and employing multiple techniques to evade detection, including log wiping, process spoofing, and the use of seven distinct persistence mechanisms. The malware is deployed in development and DevOps environments across platforms like npm, PyPI, GitHub, AWS, Docker, and Kubernetes, posing a significant supply-chain risk. Researchers at Trend Micro found that QLNX dynamically compiles its rootkit and backdoor modules on the target host. Its capabilities include a RAT core for remote control, a dual-layer rootkit (userland and kernel-level eBPF), a credential access layer for harvesting sensitive information like SSH keys and cloud configurations, and surveillance modules for keylogging and screenshotting. The implant also facilitates networking, lateral movement, and real-time filesystem monitoring. By targeting developer workstations, attackers can bypass enterprise security controls and gain access to credentials vital for software delivery pipelines, mirroring recent supply-chain incidents where compromised developer accounts were used to publish malicious packages. Source: Bleeping Computer SC Staff Related Ransomware Iranian threat group used Chaos ransomware as a ‘false flag,’ researchers say Laura French May 7, 2026 The purported ransomware attack did not encrypt files and used infrastructure tied to MuddyWater. Security Operations DAEMON Tools installers compromised in new supply chain attack SC Staff May 6, 2026 The attack involved tampering with three core DAEMON Tools components: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Identity CloudZ RAT plugin targets Windows Phone Link for possible OTP theft Laura French May 6, 2026 The Pheno plugin monitors active Phone Link connections to eavesdrop on texts and notifications. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Corruption DNS Spoofing Deauthentication Attack Dictionary Attack Drive-by Download Fault Line Attacks Google Hacking Hybrid Attack Morris Worm Reconnaissance You can skip this ad in 5 seconds