T1195.001Compromise Software Dependencies and Development Tools
97%
“developer tooling secrets such as. git - credentials and gitconfig,. npmrc ( npm tokens ),. pypirc ( pypi api keys ), github cli tokens, hashicorp vault tokens, terraform credentials, and. env files in the user ’ s home directory. - system password hashes from / etc / shadow when…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
93%
“qlnx targets developers in supply chain credential theft campaign qlnx is a newly documented linux remote access trojan ( rat ) that targets the theft on developers ’ and devops credentials to hijack software supply chains. recent attacks against popular projects like litellm on …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
70%
“npm or pypi accounts, publish trojanized versions of widely used packages, alter docker images, or pivot into kubernetes clusters used for building and deploying software. the litellm breach in march 2026, where attackers used stolen ci credentials to ship a three ‑ stage backdoo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1014Rootkit
67%
“access. these hooks selectively hide files, directories, and the malware process itself by returning “ file not found ” when tools probe for artifacts like the qlnx binary, the rootkit. so, or the credential ‑ log files. qlnx also controls an ebpf ‑ based rootkit component, actin…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1552.001Credentials In Files
65%
“lateral movement mapping. captured secrets are xor ‑ encrypted and stored in hidden log files under / var / log ( e. g.,. ice - unix and. test - unix ), which are then hidden by the rootkit and exfiltrated on operator request. a second, simpler pam logger module writes plaintext …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1574.006Dynamic Linker Hijacking
61%
“##mp. for persistence, the rat supports at least seven mechanisms, including systemd services ( user and system ), cron reboot entries, sysv init scripts, xdg autostart. desktop files,. bashrc injection, and the powerful ld _ preload shared ‑ library technique. each persistence a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
55%
“npm or pypi accounts, publish trojanized versions of widely used packages, alter docker images, or pivot into kubernetes clusters used for building and deploying software. the litellm breach in march 2026, where attackers used stolen ci credentials to ship a three ‑ stage backdoo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1543.002Systemd Service
51%
“##mp. for persistence, the rat supports at least seven mechanisms, including systemd services ( user and system ), cron reboot entries, sysv init scripts, xdg autostart. desktop files,. bashrc injection, and the powerful ld _ preload shared ‑ library technique. each persistence a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
49%
“qlnx targets developers in supply chain credential theft campaign qlnx is a newly documented linux remote access trojan ( rat ) that targets the theft on developers ’ and devops credentials to hijack software supply chains. recent attacks against popular projects like litellm on …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.003Thread Execution Hijacking
43%
“that re ‑ executes itself from an anonymous in ‑ memory file created via the memfd _ create syscall, deleting the original executable from disk to reduce forensic artifacts. it checks whether it is already running from memory using indicators in / proc / self / exe and an mfdre e…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
40%
“npm or pypi accounts, publish trojanized versions of widely used packages, alter docker images, or pivot into kubernetes clusters used for building and deploying software. the litellm breach in march 2026, where attackers used stolen ci credentials to ship a three ‑ stage backdoo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1543Create or Modify System Process
38%
“that re ‑ executes itself from an anonymous in ‑ memory file created via the memfd _ create syscall, deleting the original executable from disk to reduce forensic artifacts. it checks whether it is already running from memory using indicators in / proc / self / exe and an mfdre e…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
QLNX is a newly documented Linux remote access trojan (RAT) that targets the theft on developers’ and DevOps credentials to hijack software supply chains. Recent attacks against popular projects like LiteLLM on PyPI and the Axios npm package have shown how a single compromised maintainer account can be used to push backdoored releases to millions […]