Quasar Linux (QLNX) is a modular Linux backdoor with advanced persistence and evasion capabilities, including a rootkit that hides processes, files, and network ports at both user and kernel levels. It targets software developers by stealing credentials and tokens for cloud services and development platforms such as AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI. The RAT uses multiple persistence mechanisms (crontab, init scripts, service files, etc.) and deploys PAM backdoors to capture plaintext credentials and SSH session data. It executes in memory, spoofs process names, deletes itself to avoid detection, and clears system logs. The malware supports 58 commands enabling attackers to manipulate files, processes, network connections, and harvest sensitive data including clipboard contents, SSH keys, and browser profiles. This comprehensive capability chain allows attackers to compromise software supply chains and cloud environments stealthily.

Successful deployment of QLNX allows attackers to gain remote access to infected Linux systems used by software developers, enabling credential theft for critical development and cloud infrastructure accounts. This can lead to unauthorized access to development tools, cloud environments, and repositories, potentially allowing attackers to inject malicious code into software packages, compromise build artifacts, and pivot into production infrastructure. The malware's stealth features and multiple persistence methods increase the difficulty of detection and removal, posing a significant risk to software supply chain integrity and cloud security.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Given the lack of an official fix or vendor advisory, organizations should prioritize detection and removal of QLNX through endpoint security solutions capable of identifying rootkits and PAM backdoors. Monitoring for unusual persistence mechanisms and credential harvesting behaviors on Linux developer workstations is recommended. Restricting access to critical development and cloud credentials and employing multi-factor authentication can reduce the impact of credential theft. Incident response should focus on identifying and eradicating the malware and rotating compromised credentials.