1 article
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
QLNX's Linux RAT specifically harvests npm tokens, PyPI credentials, and cloud provider keys to enable malicious package publishing under the compromised developer's identity. This is not a new threat — it is a threat that has been escalating systematically for three years while the defensive response has been fragmented. The combination of credential-based package publishing and minimal post-publish scrutiny makes the developer credential the most valuable initial access target in software supply chain attacks.
CipherWatch Editorial
Security Intelligence Platform