New Quasar Linux Malware Targets Developers with Rootkit and Backdoor Features

Security researchers have uncovered a previously undocumented Linux implant, dubbed Quasar Linux (QLNX), that is actively targeting software developers. Discovered during an investigation into anomalous behavior on developer workstations, the malware represents a new addition to the growing arsenal of threats aimed at the open‑source ecosystem. Its appearance on BleepingComputer’s radar underscores the rapid evolution of Linux‑based attack tools.

QLNX integrates a sophisticated rootkit module that can conceal files, processes, and network connections, making forensic analysis extremely difficult. In addition, the implant contains a remote backdoor that allows an attacker to execute arbitrary commands, upload additional payloads, and persist across reboots. Credential‑harvesting components such as keyloggers and memory scrapers enable the malware to capture SSH keys, API tokens, and other sensitive information used by developers.

Initial infection vectors appear to involve malicious packages uploaded to public repositories or trojanized development utilities, a tactic consistent with supply‑chain attacks. By compromising tools that developers trust, the actors behind QLNX can propagate the implant downstream to CI/CD pipelines and production environments. The malware’s focus on developer environments suggests a strategic interest in stealing code signing credentials and accessing proprietary source repositories.

Organizations are advised to review their package‑manager configurations, implement strict integrity checks for third‑party libraries, and monitor for unusual process activity on build servers. Indicators of compromise, including specific file hashes and network signatures identified by the research community, should be incorporated into endpoint detection rules. Ongoing analysis is expected to reveal further details about QLNX’s command‑and‑control infrastructure and potential attribution.