{"id":242654,"date":"2026-05-04T06:50:00","date_gmt":"2026-05-04T10:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/04\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/"},"modified":"2026-05-09T19:55:25","modified_gmt":"2026-05-09T23:55:25","slug":"quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/04\/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-rootkit-pam-backdoor-credential-harvesting-capabilities\/","title":{"rendered":"Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities"},"content":{"rendered":"

Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities<\/a><\/p>\n

https:\/\/www.trendmicro.com\/en_us\/research\/26\/e\/quasar-linux-qlnx-a-silent-foothold-in-the-software-supply-chain.html<\/a><\/p>\n

Publish Date: 2026-05-04 06:50:00<\/a><\/p>\n

Source Domain: www.trendmicro.com<\/a><\/p>\n

Conclusion<\/span><\/p>\n

The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.<\/p>\n

QLNX systematically targets the files that underpin modern software development and cloud infrastructure: .npmrc (NPM registry tokens), .pypirc (PyPI upload keys), .git-credentials, .aws\/credentials, .kube\/config, and .docker\/config.json. These are the keys to the software supply chain. A single compromised developer workstation could give the attacker the ability to publish trojanized packages to NPM or PyPI, inject backdoors into container images, or pivot from a personal laptop into production cloud environments.<\/p>\n

This is not a theoretical risk. The LiteLLM supply chain compromise in March 2026 followed exactly this pattern: stolen credentials from one tool were used to trojanize a Python package with 3.4 million daily downloads. QLNX’s capability set maps directly to every step of that kill chain.<\/p>\n

The combination of the rootkit, the PAM backdoor capable of silently intercepting plaintext passwords, and the P2P mesh network allowing implants to relay through each other all compound the difficulty of detection and eradication.<\/p>\n

Trend Vision One customers are protected against the indicators of compromise documented in this analysis, with access to hunting queries, threat insights, and intelligence reports related to QLNX.<\/p>\n

Proactive security with Trend Vision One\u2122<\/span><\/p>\n

Trend Vision One\u2122 is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments.<\/p>\n

Trend Vision One\u2122 Network Security<\/span><\/p>\n

47135: HTTP: Backdoor.Linux.QLNX.A Runtime…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Quasar Linux (QLNX) \u2013 A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux…<\/p>\n","protected":false},"author":1,"featured_media":242655,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/e\/quasar-linux%E2%80%93a-silent-foothold-in-the-supply-chain.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,29,57],"class_list":["post-242654","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-network-security","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242654"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242654"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242654\/revisions"}],"predecessor-version":[{"id":242656,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242654\/revisions\/242656"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242655"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}