Advisories 7 May 2026 / 0 Comments

Quasar Linux (QLNX) Implant Targeting Developer and DevOps Environments

Scope: Linux Developer Workstations, DevOps Infrastructure (npm, PyPI, GitHub, AWS, Docker, Kubernetes)

Severity: Red

A previously undocumented Linux implant named Quasar Linux (QLNX), discovered by Trend Micro, is actively targeting software developer systems with a dual-layer rootkit architecture combining LD_PRELOAD userspace hooks and an eBPF kernel-level component, making it highly evasive against standard detection tools. QLNX harvests high-value developer credentials including SSH keys, NPM tokens, PyPI API keys, AWS credentials, Kubernetes configs, and Docker Hub secrets, enabling downstream supply chain attacks through compromised developer accounts on npm and PyPI. Organizations should deploy EDR with Linux coverage on developer systems, immediately rotate all exposed credentials, monitor for suspicious outbound connections from dev environments, and enforce least privilege on CI/CD pipelines.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Quasar Linux (QLNX) Implant Targeting Developer and DevOps Environments

Apache HTTP Server HTTP/2 Double-Free Vulnerability Enabling DoS and RCE (CVE-2026-23918)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Quasar Linux (QLNX) Implant Targeting Developer and DevOps Environments

RELATED ADVISORIES

Apache HTTP Server HTTP/2 Double-Free Vulnerability Enabling DoS and RCE (CVE-2026-23918)

Recent Advisories

Categories