A developer sits down at their Linux workstation, pushes code, publishes packages, and manages cloud infrastructure, but they have no idea that every keystroke, every credential, and every SSH session is being watched.
Security researchers at Trend Micro have uncovered a previously undocumented Linux implant called Quasar Linux RAT (QLNX) , and this Quasar Linux RAT developer credential theft malware specifically targets developers and DevOps professionals.
The goal is simple: steal credentials that allow attackers to poison the software supply chain.
What Is Quasar Linux RAT?
The Quasar Linux RAT developer credential theft malware is a sophisticated Linux implant designed for long-term stealth and credential harvesting, it runs filelessly from memory, masquerades as legitimate kernel threads, and can persist through seven different mechanisms.
Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim explained that QLNX targets developers and DevOps credentials across the software supply chain, with its credential harvester extracting secrets from high-value files.
The Quasar Linux RAT developer credential theft malware systematically hunts for credentials in specific locations like .npmrc (npm registry tokens), .pypirc (PyPI publishing credentials), .git-credentials (Git authentication), .aws/credentials (AWS access keys), .kube/config (Kubernetes cluster credentials), .docker/config.json (Docker registry auth), .vault-token (HashiCorp Vault tokens), Terraform credentials, GitHub CLI tokens, and .env files (environment variables with secrets).
The Quasar Linux RAT developer credential theft malware then exfiltrates everything to an attacker-controlled server.
Why Developer Credentials Matter
The Quasar Linux RAT developer credential theft malware targets developers for one reason only: supply chain attacks.
If an attacker compromises a package maintainer's npm or PyPI credentials, they can publish malicious versions of legitimate packages, and the Quasar Linux RAT developer credential theft malware enables exactly that.
Trend Micro warned that the compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines, meaning a single compromised developer workstation running the Quasar Linux RAT developer credential theft malware can lead to thousands of infected downstream users.
How QLNX Operates
The Quasar Linux RAT developer credential theft malware executes filelessly from memory, so it never writes its binary to disk and traditional file scanning becomes ineffective.
To avoid detection, the Quasar Linux RAT developer credential theft implant masquerades as legitimate kernel threads like kworker or ksoftirqd to blend in with normal system processes, and it also profiles its host environment to check for containerized environments before adjusting its behavior accordingly.
Persistence: Seven Methods to Persist
Quasar Linux RAT developer credential theft malware does not use a single method to establish persistence; instead there are at least seven different ways the malware can remain active, including the use of systemd services, crontab entries, .bashrc shell injection, and various other methods of redundancy.
If one method of persistence is discovered and removed, then the Quasar Linux RAT developer credential theft malware utilizes another; therefore, cleaning an infected device is almost impossible due to this redundancy.
The PAM Backdoor
One of the most dangerous features of the Quasar Linux RAT developer credential theft malware is its Pluggable Authentication Module (PAM) backdoor.
The Quasar Linux RAT developer credential theft implant includes a PAM inline-hook backdoor that intercepts plaintext credentials during authentication events, so when a user logs in via SSH, sudo, or any PAM-enabled service, the backdoor captures the username, the plaintext password, and the service name.
The Quasar Linux RAT developer credential theft malware also logs outbound SSH session data, meaning everything typed in an SSH session can be captured, and a second PAM-based credential logger is automatically loaded into every dynamically linked process to extract authentication tokens from any process that handles them.
Two-Tiered Rootkit Architecture
The Quasar Linux RAT developer credential theft malware hides itself using both userland and kernel-level rootkits.
For the userland rootkit, the Quasar Linux RAT developer credential theft implant uses the Linux dynamic linker's LD_PRELOAD mechanism to intercept and hide its artifacts, so processes, files, and network connections are filtered out of standard tool output.
The kernel-level component of the Quasar Linux RAT developer credential theft malware also includes an eBPF rootkit that runs at the kernel-level and can receive commands from the C2 server to hide processes from ps, files from ls and network ports from netstat.
This two-tiered approach makes the Quasar Linux RAT developer credential theft malware nearly invisible to both casual inspection and standard security tools.
Command and Control Capabilities
The Quasar Linux RAT developer credential theft malware maintains persistent communication with its C2 server over raw TCP, HTTPS, and HTTP, and it runs a continuous loop that attempts to re-establish the connection if it is interrupted.
Once connected, the Quasar Linux RAT developer credential theft implant supports 58 distinct commands that give operators complete control over the compromised host, including the ability to execute shell commands, manage files (upload, download, delete, modify), inject code into running processes, capture screenshots, log keystrokes, establish SOCKS proxies, create TCP tunnels, run Beacon Object Files (BOFs), and manage a peer-to-peer (P2P) mesh network.
The P2P mesh network capability is particularly notable because the Quasar Linux RAT developer credential theft malware can create a decentralized network of compromised hosts, so even if the main C2 server is taken down, commands can still propagate through the mesh.
Delivery Method Unknown
Trend Micro's research team has not determined how the Quasar Linux Remote Access Trojan (RAT) infects its victims. However, they believe that phishing emails sent to developers, the use of compromised open source packages, "waterhole" attack methods directed at developer forums, and/or the use of compromised software development tools are ways that this malware is delivered to its victims.
After the Quasar Linux RAT developer credential theft implant has been successfully installed on the victim's computer, it follows a pattern during its operational life cycle which includes arrival, erasing itself from disk, persisting, hiding itself, and harvesting developer credentials.
Log Wiping and Evasion
The Quasar Linux RAT developer credential theft implant will actively wipe system logs to cover its tracks (i.e., it clears any traces of its installation, execution, and network connections) which makes it difficult to conduct post-incident investigations because by the time the developer determines that he/she has been compromised as a result of the Quasar Linux RAT developer credential theft implant, the implant has already wiped out all of the forensic evidence.
Container Environment Detection
The Quasar Linux RAT developer credential theft implant will profile its host environment, and if it detects that it is running within a container, it may behave differently than if it were running outside of a container.
This suggests the Quasar Linux RAT developer credential theft operators expect to encounter both traditional Linux workstations and containerized development environments, so the malware is designed to work in both.
Supply Chain Impact
The most concerning aspect of the Quasar Linux RAT developer credential theft malware is its supply chain implications.
Consider a package maintainer who publishes popular npm packages, if the Quasar Linux RAT developer credential theft malware steals their npm token, an attacker can publish a malicious version of a legitimate package, wait for users to update, execute code on thousands of developer machines, and repeat the process recursively.
The Quasar Linux RAT developer credential theft malware specifically targets the credentials needed to publish packages because the attackers are not interested in the developer's personal data, they want access to the supply chain.
How to Protect Your Development Environment
The Quasar Linux RAT developer credential theft malware is sophisticated, but you can take steps to protect your systems.
1. Use short-lived tokens. The Quasar Linux RAT malware that steals developer credentials uses long-lived tokens so it is best to use temporary credentials that expire quickly such as AWS IAM roles, GitHub fine-grained tokens with an expiration, and short-lived npm tokens in order to minimize the amount of time the attacker has to access them.
2. Store credentials in dedicated secret managers. The Quasar Linux RAT malware that steals developer credentials searches for credentials stored in places such as .env, .npmrc, and .aws/credentials so the best way to store your credentials is to use a dedicated secret management service like HashiCorp Vault or AWS Secrets Manager.
3. Monitor for PAM backdoors. The Quasar Linux RAT developer credential theft malware installs a PAM inline-hook backdoor, so be sure to conduct regular audits of your PAM configuration to identify any unanticipated modules that may exist.
4. Look to see if there are any anomalies with LD_PRELOAD. Since the Quasar Linux RAT uses LD_PRELOAD to function, it would be prudent to monitor for any unexpected entries into this env. variable as the Quasar Linux RAT developer credential theft malware also functions by using this method to execute.
5. Utilize eBPF detection tools. Because the Quasar Linux RAT developer credential theft malware installs eBPF programs (as a means to hide), the use of specialized eBPF detection tools would produce the required output to allow for discovery of malicious BPF programs.
6. Regularly conduct memory scans. Because the Quasar Linux RAT developer credential theft malware executes filelessly from memory, the use of traditional file-based scanning tools would not give a proper result, however, the use of memory forensics scanning tools would provide the opportunity to identify in-memory implanted applications.
7. Isolate development environments. The Quasar Linux RAT developer credential theft malware spreads through developer workstations, so use separate, isolated environments for credential management and package publishing.
Final Thoughts
The Quasar Linux RAT developer credential theft malware represents a new level of sophistication in supply chain attacks because it is not a generic Linux backdoor, it is purpose-built for developers.
The Quasar Linux RAT developer credential theft implant hides at both userland and kernel level, survives through seven persistence mechanisms, and steals the exact credentials needed to poison npm, PyPI, and cloud infrastructure.
Trend Micro summarized the threat perfectly: what makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.
If you develop software on Linux, assume the Quasar Linux RAT developer credential theft malware could be targeting you, audit your credentials, check your PAM configuration, monitor your logs, and do not let your keystrokes become someone else's supply chain weapon.
FAQ Section
Q1: What is Quasar Linux RAT (QLNX)?
Quasar Linux RAT (QLNX) is a sophisticated Linux implant designed to steal developer credentials for supply chain attacks, and the Quasar Linux RAT developer credential theft malware targets npm, PyPI, AWS, Kubernetes, and Docker credentials before exfiltrating them to an attacker-controlled server.
Q2: How does the Quasar Linux RAT developer credential theft malware hide itself?
QLNX uses a two-tiered rootkit architecture, the userland rootkit uses LD_PRELOAD to hide processes and files from standard tools, and the kernel-level eBPF component conceals processes, files, and network ports from ps, ls, and netstat upon receiving C2 instructions.
Q3: What credentials does Quasar Linux RAT target?
The Quasar Linux RAT developer credential theft malware targets .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files.
Q4: How does QLNX achieve persistence?
The Quasar Linux RAT developer credential theft malware uses at least seven persistence mechanisms including systemd services, crontab entries, and .bashrc shell injection, and if one method is removed, the malware falls back to another.
Q5: Is there any way to detect Quasar Linux RAT?
It is hard to detect Quasar Linux RAT, but it is not impossible. Quasar Linux RAT uses credential theft malware that does not require to create files on disk and is hidden using eBPF and LD_PRELOAD root kits. To detect Quasar Linux RAT, you would need to perform several types of analysis, including: memory forensics, eBPF monitoring, PAM configuration audits and behavior analysis of all outbound connections.
