In early July 2024, security researchers uncovered a new strain of malware named Quasar Linux RAT that specifically targets developers working on Linux‑based projects. By hijacking SSH keys, sudo credentials, and stored secrets, the RAT enables attackers to inject malicious code into otherwise legitimate software artefacts, turning a trusted supply chain into a vector for widespread compromise.

What is the Quasar Linux RAT?

The malicious tool is written in Go and compiled for multiple Linux architectures. It masquerades as a benign monitoring daemon, allowing it to blend into everyday development workflows. Once executed with elevated privileges, it establishes a persistent backdoor that can execute arbitrary commands, exfiltrate files, and — most critically — harvest authentication material stored on the host.

Credential Harvesting Mechanisms

Quasar's primary objective is to acquire the credentials that grant it ongoing access to source repositories, CI pipelines, and artifact repositories. The RAT employs several techniques that are easy to miss without targeted monitoring:

  • SSH key scraping: It reads the ~/.ssh/ directory and extracts private keys that are often reused across projects.
  • Sudo token replay: By invoking sudo with the -v flag, the RAT logs password attempts and can later replay cached credentials.
  • Environment variable dumping: Secrets such as API tokens, encryption keys, and database passwords held in shell environments are parsed and sent to remote command‑and‑control servers.
  • Git credential caching: It interrogates OS‑level credential caches (e.g., macOS Keychain, Gnome Keyring) to recover stored passwords for Git operations.

Why This Threatens the Software Supply Chain

When an attacker gains developer credentials, they can push malicious commits, replace legitimate binaries, or embed backdoors into release artefacts. Because many organizations rely on trusted developers to sign off on code, a single compromised machine can jeopardize an entire ecosystem of downstream users. The downstream impact includes:

  • Distribution of compromised libraries to thousands of downstream projects.
  • Potential propagation of the RAT through automated build pipelines.
  • Erosion of customer trust and increased remediation costs.

Detecting an Active Compromise

Early detection hinges on monitoring anomalous behaviour that deviates from normal development patterns. Consider implementing the following detection rules:

  • Alert on outbound connections from developer machines to unknown IPs, especially on non‑standard ports.
  • Log unusual sudo executions that do not match a whitelist of approved commands.
  • Monitor file system changes in ~/.ssh/, /etc/sudoers.d/, and common credential caches.
  • Correlate spikes in Git push activity that are not associated with CI jobs.

Deploying endpoint detection and response (EDR) tools with custom signatures for Quasar's process names (e.g., “quasar‑daemon”) can also improve visibility.

Actionable Checklist for IT and Security Teams

The following checklist provides concrete steps to mitigate the risk of credential‑stealing RATs like Quasar and to fortify the software supply chain:

  • Enforce principle of least privilege: Limit sudo rights and SSH key usage to only those employees who need them.
  • Rotate and revoke credentials regularly: Automate periodic key rotation and invalidate stale tokens.
  • Implement multi‑factor authentication (MFA): Require MFA for all Git, CI, and artifact repository accesses.
  • Network segmentation for build environments: Isolate development and CI servers from production networks.
  • Deploy integrity‑verification pipelines: Use signed commits, reproducible builds, and checksum validation before promotion.
  • Conduct regular threat‑hunt drills: Simulate credential‑harvesting scenarios to test detection capabilities.
  • Audit third‑party libraries: Employ Software Composition Analysis (SCA) tools that flag unsigned or altered dependencies.

Final Thoughts

The Quasar Linux RAT incident serves as a stark reminder that the security of the software supply chain rests on the protection of developer credentials. By adopting a layered defence — combining strict access controls, continuous monitoring, and proactive credential hygiene — organizations can dramatically reduce the likelihood of a similar compromise. Engaging with seasoned IT professionals not only ensures that these controls are correctly configured, but also provides the expertise needed to respond swiftly when threats emerge, preserving both operational continuity and stakeholder confidence.

Need Expert IT Advice?

Talk to TH247 today about how we can help your small business with professional IT solutions, custom support, and managed infrastructure.