"An attacker who successfully deploys QLNX against a package maintainer gains access to that maintainer's publishing pipeline. A single compromise can be silently leveraged to trojanize packages, inject backdoors into build artifacts, or pivot into cloud environments where production infrastructure lives."
"QLNX contains two PAM backdoor implementations: the first harvests plaintext credentials from authentication events, contains a master password bypass, and logs outbound SSH session data; the second loads into dynamically linked processes to extract the service name, username, and authentication token."
Quasar Linux (QLNX) is a recently identified remote access Trojan (RAT) targeting developer credentials within the software supply chain. It employs a modular architecture, multiple evasion techniques, and a rootkit to provide remote access to infected machines. QLNX specifically targets AWS credentials, Kubernetes tokens, Docker Hub credentials, and Git access tokens, enabling attackers to publish malicious packages. The RAT executes in memory, disguises its process name, and can delete itself to avoid detection. It also includes a Pluggable Authentication Module (PAM) backdoor for credential harvesting and gathers extensive system information.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]