Quasar Linux RAT Harvests Developer Credentials, Endangering Software Supply Chains
What Happened — Researchers uncovered a previously undocumented Linux Remote Access Trojan, dubbed Quasar Linux RAT (QLNX), that silently installs on developers’ workstations. The malware harvests DevOps and code‑repository credentials, logs keystrokes, captures clipboard data, manipulates files, and creates network tunnels for further exploitation.
Why It Matters for TPRM —
- Credential theft from developers can enable supply‑chain attacks that compromise downstream customers.
- Silent footholds on build servers bypass traditional perimeter defenses, increasing the attack surface of third‑party software.
- The open‑source nature of many development tools means the threat can propagate across multiple vendors and industries.
Who Is Affected — Software development firms, DevOps service providers, SaaS platforms that host code repositories, and any organization that outsources software engineering.
Recommended Actions —
- Conduct an immediate inventory of developer workstations and CI/CD environments.
- Enforce MFA and least‑privilege access for all code‑repository accounts.
- Deploy endpoint detection and response (EDR) solutions with Linux support and monitor for QLNX indicators.
- Review third‑party risk contracts for supply‑chain security clauses and require regular security attestations.
Technical Notes — QLNX is delivered via a custom Linux binary, likely through compromised third‑party packages or phishing. It employs keylogging, clipboard monitoring, file manipulation, and encrypted network tunneling. No public CVE is associated; the implant is a novel malware family. Source: The Hacker News