Trend Micro disclosed QLNX — Quasar Linux — on May 5, 2026, a previously undocumented Linux implant engineered specifically to compromise software developers and DevOps environments as a staging point for downstream supply chain attacks. The malware combines a 58-command remote control framework with a dual-layer eBPF rootkit and seven persistence mechanisms, targeting developer credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes to enable injection of malicious code into public package repositories.
QLNX Targets Software Developers as an Entry Point into Public Package Repositories
Unlike malware designed for broad enterprise compromise or ransomware deployment, QLNX is built around a specific attack objective: compromise individual software developers and DevOps engineers to gain access to the credentials and signing capabilities needed to inject malicious code into public package ecosystems. The malware actively targets credentials associated with npm, PyPI, GitHub, AWS, Docker, and Kubernetes — the toolchain components that give a developer the ability to publish packages consumed by downstream users at scale.
Trend Micro’s analysis found no identified threat actor behind QLNX and did not disclose the volume of attacks or infections observed during the discovery period.
58-Command Remote Control Framework and Fileless Operation
QLNX provides a remote operator with a 58-command interactive shell framework covering the full range of post-compromise activity: keylogging, screenshot capture, clipboard monitoring, TCP tunneling, file operations, and fileless in-memory code execution. The malware deletes its original binaries after installation and wipes system logs to remove forensic artifacts, operating fileless after initial deployment to reduce detection footprint.
Operational capabilities documented by Trend Micro include:
- Interactive 58-command remote shell
- Keylogging of developer credentials and secrets
- Screenshot capture and clipboard monitoring
- TCP tunneling for command-and-control traffic
- Log wiping and binary self-deletion post-installation
Dual-Layer eBPF Rootkit: Userland and Kernel-Level Stealth Compiled On Target
QLNX’s most significant technical capability is its dual-layer rootkit combining a userland rootkit with a kernel-level eBPF rootkit. The eBPF rootkit is dynamically compiled on the target system using gcc, the standard compiler toolchain present in most Linux developer environments. This approach avoids shipping a pre-compiled kernel module that might trigger signature-based detection; instead, the rootkit source code is compiled into a custom eBPF program using the target system’s own compiler infrastructure.
The combination of userland and kernel-level stealth makes QLNX significantly harder to detect with standard monitoring tools. eBPF programs run inside the Linux kernel with high privileges; a kernel-level rootkit can hide processes, network connections, and file activity from tools operating at the operating system user space level.
Seven Persistence Mechanisms Across the Linux Startup Stack
QLNX implements seven documented persistence mechanisms spanning the full range of Linux startup and process execution paths:
- LD_PRELOAD injection
- systemd service unit
- crontab entry
- init.d script
- XDG autostart
- .bashrc injection
- (seventh mechanism documented by Trend Micro)
The breadth of persistence mechanisms means that removing QLNX requires auditing all seven paths; failure to identify and remove all instances allows the malware to re-establish itself on system restart or user login.
The Developer Supply Chain Threat: From Individual Compromise to Millions of Downstream Users
QLNX’s design purpose distinguishes it from conventional malware families that target data theft or ransomware deployment. By compromising a developer’s npm publishing credentials, a PyPI account with upload access, or GitHub repository write permissions, an attacker can inject a malicious dependency or backdoored package version that propagates to every downstream project or organization that installs or updates the affected package.
The scale of potential impact from a single developer compromise — where one backdoored package can reach millions of end-user systems through automatic dependency updates — is the core threat model QLNX is built to exploit. Trend Micro’s May 5, 2026 disclosure highlights the developer workstation and credentials as a high-value target in the supply chain attack chain.
