Lead Story | High — Linux Malware / Supply Chain | Dev · Cloud+DevOps |
|
QLNX: New Linux RAT Compiles Its Own Rootkit On-Target, Harvests npm and Cloud Credentials, and Turns Developer Machines into Supply Chain Entry Points
Trend Micro documented Quasar Linux (QLNX) on May 4 — a previously undocumented Linux implant targeting developer and DevOps workstations. It deploys a PAM backdoor by compiling it locally on the victim machine, then exfiltrates credentials for npm, PyPI, AWS, Kubernetes, and CI/CD pipelines.
The detection problem: QLNX’s per-host components defeat signature detection by design. Once on a target system, QLNX compiles its PAM backdoor using the victim machine’s own gcc — a fresh binary on every deployment, invisible to signature-based endpoint tools. That binary loads via /etc/ld.so.preload and intercepts every authentication event on the host, capturing plaintext credentials. A hardcoded master password survives credential rotation, giving the operator persistent access even through an active incident response — full IoCs including the password string are in the Trend Micro advisory.
The credential scope is what makes QLNX a supply chain threat. It harvests .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, and GitHub CLI tokens — the full set of keys governing cloud environments, code repositories, and package publishing pipelines. An operator with that harvest can read private source, modify cloud infrastructure, or publish to any registry the developer has access to. Stolen data exits over encrypted TCP/TLS or HTTP/S to attacker-controlled C2; infected hosts also join a P2P mesh, keeping the implant live even when individual C2 nodes are disrupted. Trend Micro →
→ Key Takeaway QLNX targets the exact credentials that unlock supply chain propagation. Audit Linux developer machines for unexpected gcc invocations and modifications to /etc/ld.so.preload. If infection is suspected, rotate npm, PyPI, AWS, and Kubernetes tokens immediately — these are the operator’s primary targets. |
Quick Hits
| 01 |
Cursor CVE-2026-26268 (CVSS 9.9): Cloning a Malicious Repository Can Execute Arbitrary Code on Your Developer Machine
Novee Security disclosed CVE-2026-26268 on April 28: when Cursor’s AI agent autonomously executes a git checkout inside a repository containing an embedded bare repo, a hidden pre-commit hook fires and achieves arbitrary code execution on the developer’s machine — no explicit user action required beyond opening the project. The attack requires no special permissions; the Cursor AI agent fulfils a routine request and triggers the hook automatically, with access to credentials, source code, and any secrets on the workstation. Cursor patched the flaw in version 2.5; update immediately and treat any repository opened with Cursor’s autonomous agent as a trust boundary. Novee Security →
| Critical — AI Dev Tool Security | Dev |
|
CVE Watch
|
CVE Watch
CVE-2026-23918 — Apache HTTP Server 2.4.66: CVSS 8.8 HTTP/2 Double-Free, Lab-Confirmed RCE Path, Patch Available
CVE-2026-23918 is a double-free in Apache HTTP Server 2.4.66’s mod_http2: sending a HEADERS frame immediately followed by RST_STREAM triggers the flaw in the stream cleanup path. On systems using the mmap allocator — the default on Debian-derived distributions and official Docker images — researchers have confirmed RCE in laboratory conditions by placing a fake stream struct at the freed address. No active exploitation has been confirmed as of May 7, 2026; a patch shipped in Apache HTTP Server 2.4.67 on May 4. NVD →
| Vendor: Apache Software Foundation · CVE: CVE-2026-23918 · CVSS: 8.8 · Affected: Apache HTTP Server 2.4.66 · Fix: Available — upgrade to 2.4.67 (released May 4, 2026) · Exploitation: Not confirmed; RCE demonstrated in lab conditions |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM-09 — Detect: Continuous Monitoring — Runtime Environment Monitoring
QLNX Was Designed to Beat Signature Detection — Behavioral Monitoring Is the Only Reliable Path
QLNX’s compile-on-target technique is specifically engineered to defeat signature-based endpoint detection: by compiling the PAM backdoor on the victim machine using its own gcc, each deployment produces a unique binary that signature-based tools cannot match. NIST DE.CM-09 requires monitoring of computing hardware, software, and runtime environments for adverse events — on Linux developer workstations, that baseline must include compiler invocations, dynamic linker configuration changes, and PAM library modifications. Concrete action (DE.CM-09): Add detection rules for three indicators: (1) gcc or cc1 invoked outside of scheduled build processes or from package cache directories; (2) writes to /etc/ld.so.preload from any process other than your package manager; (3) new or modified .so files in system library paths outside a maintenance window. nist.gov/cyberframework →
|
|
