New Quasar Linux RAT steals AWS, GitHub, Docker, and Kubernetes credentials using stealth rootkit tactics in May 2026.
Cybersecurity researchers have uncovered a sophisticated new Linux malware strain designed to infiltrate developer environments and steal credentials tied to major software supply chain platforms.
The malware, dubbed Quasar Linux or QLNX, was disclosed in May 2026 after researchers identified the threat targeting systems used by developers and DevOps teams. Security analysts warn the malware could be leveraged to compromise cloud infrastructure, source code repositories, and software distribution pipelines.
According to researchers, QLNX is a highly persistent Linux remote access trojan equipped with rootkit and backdoor functionality. The malware is capable of stealing sensitive credentials linked to AWS, Kubernetes, Docker Hub, Git repositories, npm, and PyPI accounts. Attackers could potentially use the stolen access tokens to inject malicious code into legitimate software packages or infrastructure environments.
The implant reportedly uses multiple stealth mechanisms, including fileless execution, encrypted communications, in-memory persistence, and process masquerading to avoid detection. Analysts said the malware also compiles rootkit and PAM backdoor components directly on infected systems, making forensic analysis more difficult.
Researchers believe the campaign is focused on long-term access rather than immediate disruption, with infected developer machines potentially serving as entry points into broader software supply chain ecosystems.
The malware also includes surveillance and credential harvesting capabilities such as keylogging, filesystem monitoring, clipboard collection, and network tunneling. Some variants are capable of peer-to-peer communications, allowing attackers to maintain resilient access even if command-and-control infrastructure is disrupted.
Security experts warned that developer environments are increasingly becoming prime targets for cyber-criminals because compromising a single workstation can provide access to production systems, cloud platforms, and trusted software distribution channels. Community discussions surrounding the malware have highlighted growing concerns over software supply chain attacks targeting Linux infrastructure.
Researchers recommend organizations strengthen monitoring on Linux developer systems, enforce multi-factor authentication across development platforms, and audit access tokens and cloud credentials for unusual activity.
Related articles :
- Critical Telnetd Flaw Enables Root Access Attacks
- React2Shell Exploited to Hijack NGINX Web Traffic
- Coruna iOS Exploit Kit Reuses Triangulation Zero-Days
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
