Stealthy Quasar Linux Malware Targets Developers, Enables Supply‑Chain Compromise of Code Repositories
What Happened – Researchers uncovered a previously unknown Linux implant, Quasar Linux (QLNX), that infiltrates development and DevOps environments. The malware is distributed via malicious packages on npm, PyPI, GitHub, AWS, Docker Hub, and Kubernetes registries, giving threat actors a foothold in software supply chains.
Why It Matters for TPRM –
- Provides a stealthy, file‑less persistence mechanism that can evade traditional endpoint detection.
- Harvests SSH keys, cloud credentials, and developer secrets, opening pathways to downstream customer data and production systems.
- Demonstrates a supply‑chain vector that compromises third‑party code libraries, expanding risk beyond the immediate vendor.
Who Is Affected – Technology / SaaS firms, cloud service providers, DevOps tool vendors, and any organization that consumes open‑source packages or runs Linux‑based development workstations.
Recommended Actions –
- Audit all third‑party package dependencies for anomalous binaries or unexpected version changes.
- Enforce strict code‑signing and provenance verification for npm, PyPI, and container images.
- Deploy runtime integrity monitoring (e.g., LD_PRELOAD detection, eBPF alerts) on developer workstations.
Technical Notes – QLNX compiles a rootkit and PAM backdoor on‑host using gcc, employs seven persistence techniques (LD_PRELOAD, systemd, crontab, init.d, XDG autostart, .bashrc injection), and communicates via custom TCP/TLS or HTTPS C2 channels. It exfiltrates SSH keys, browser cookies, cloud config files, and /etc/shadow, and can pivot laterally using SSH tunneling and a peer‑to‑peer mesh. Source: BleepingComputer