A newly documented Linux remote access trojan has sharpened concerns over software supply-chain security after researchers found it was built to steal developer and DevOps credentials that could be used to compromise trusted code repositories, cloud systems and package registries.
The malware, known as Quasar Linux or QLNX, combines remote access functions with a rootkit, a Pluggable Authentication Module backdoor, keylogging and credential-harvesting features. Its design suggests an intent to establish long-term control over Linux developer environments rather than carry out a short-lived intrusion. That makes it especially dangerous for organisations that rely on automated build systems, open-source packages and cloud-based deployment pipelines.
QLNX targets files and tokens that are commonly found on engineering workstations and build servers. These include npm tokens, PyPI credentials, Git credentials, AWS access keys, Kubernetes configuration files, Docker credentials, Vault tokens, Terraform credentials, GitHub CLI tokens and environment files. Access to these materials can allow an attacker to publish malicious software updates, enter cloud infrastructure, alter CI/CD workflows or move deeper into enterprise systems.
The malware’s technical architecture reflects a wider shift in cyber operations. Instead of focusing only on end-user devices or corporate email accounts, attackers are increasingly targeting the people and machines that build, sign and distribute software. A single stolen maintainer credential can give adversaries the ability to push tainted code to thousands or millions of downstream users.
QLNX is notable for the way it attempts to hide inside Linux systems. It carries embedded C source code for its rootkit and authentication backdoor, dynamically compiles them on the infected host using gcc, and deploys them to intercept system activity. The use of LD_PRELOAD gives the malware a way to manipulate how processes load shared libraries, helping it conceal files, processes and network activity from routine inspection.
The PAM backdoor is particularly serious because it sits close to the authentication process. By hooking into login routines, QLNX can capture plaintext credentials when users authenticate. It also contains a hardcoded master password, giving the operator a separate route into the compromised machine. Stolen credentials are encrypted before being written to a hidden location under the system log path, reducing the chance of casual discovery.
Beyond credential theft, QLNX includes anti-forensic behaviour. It can run in memory, delete its original binary, wipe logs, spoof process names and clear environment variables that might otherwise help investigators reconstruct the intrusion. These features indicate that the malware is designed for stealth, persistence and operational flexibility inside development environments.
Researchers also identified peer-to-peer mesh capability, which could allow infected machines to communicate with one another rather than rely solely on a central command-and-control server. That feature can make takedown and eradication harder, particularly across distributed developer teams, cloud runners and hybrid infrastructure.
The disclosure comes against a backdrop of escalating attacks on open-source ecosystems. The LiteLLM project disclosed in March that unauthorised PyPI releases had affected versions 1.82.7 and 1.82.8, with malicious code designed to harvest secrets such as environment variables, SSH keys, cloud credentials, Kubernetes tokens and database passwords. Users who installed or upgraded LiteLLM during the affected window were advised to review systems and rotate credentials, while official Docker image users were not affected because that deployment path pinned dependencies.
The Axios npm incident in late March further demonstrated the scale of the risk. A compromised maintainer account was used to publish malicious versions of the widely used JavaScript HTTP client, including releases that pulled in a rogue dependency through a postinstall hook. The package has a very large footprint across the JavaScript ecosystem, and the backdoored releases delivered platform-specific payloads for Windows, macOS and Linux before being removed after a narrow exposure window.
These episodes illustrate why supply-chain attacks are difficult to contain. Many development teams rely on automated dependency updates, unpinned packages and build systems that pull code from public registries. Attackers exploit that trust by targeting maintainers, publishing credentials and registry workflows rather than breaching every downstream organisation directly.
Security teams are now being urged to treat developer workstations and build servers as high-value assets. Measures such as strict package pinning, mandatory multi-factor authentication for registry accounts, hardware-backed signing keys, provenance checks, isolated build environments, short-lived credentials and aggressive secret rotation are becoming baseline requirements rather than advanced controls.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
