What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The Worm That Reads Your Secrets: Shai-Hulud, QLNX, and the 2026 Developer Credential Supply Chain War

← Deep-Dive

0 sources verified·9 min read

By Lyrie.ai Senior Analyst Desk·5/9/2026

TL;DR

May 2026 has produced the densest month of developer-targeting supply chain attacks since the SolarWinds era — but the geometry is completely different. Instead of nation-state patience and custom implants, attackers are moving fast and loud: self-propagating NPM worms that upload stolen secrets to public GitHub repos, a fileless Linux RAT (QLNX) that hides inside kernel thread names while harvesting every credential file a developer might own, and a coordinated cross-registry campaign that hit over 1,800 developers across PyPI, NPM, and PHP in a single wave. The common thread is the developer identity: steal their tokens, push your code, compromise their downstream. The pipeline is the attack surface.

Background

Software supply chain attacks are not new — the concept crystallized with event-stream in 2018, exploded in 2021 with SolarWinds and Codecov, and became endemic with the 2022–2024 wave of typosquatting campaigns on npm and PyPI. What changed in late 2025 and into 2026 is the industrialization of the post-compromise step. Attackers no longer need to maintain infrastructure; GitHub itself serves as the exfiltration destination, C2 channel, and malware mirror. Package registries remain chronically under-resourced for proactive review. And the explosion of CI/CD tooling means that a single compromised developer machine now has blast radius across every repository, every cloud environment, and every downstream user of every package that developer touches.

Three distinct but thematically linked incidents define the current moment:

1. Shai-Hulud "Third Coming" — a self-propagating NPM worm targeting @bitwarden/cli (250K monthly downloads)

2. Quasar Linux RAT (QLNX) — a fileless, kernel-hiding Linux implant purpose-built for developer credential harvesting

3. Mini Shai-Hulud Cross-Registry Campaign — coordinated compromise of PyTorch Lightning (PyPI) and intercom-client (NPM), 1,800+ developers hit

Understanding each individually understates the risk. Together they describe a maturing ecosystem for supply chain operations.

Technical Analysis

Shai-Hulud v3: The Self-Replicating NPM Worm

The Shai-Hulud family was first documented in early 2026. Its third confirmed iteration targeted the official @bitwarden/cli NPM package, version 2026.4.0. The malicious version was flagged and removed, but not before spreading to every CI pipeline or developer environment using a loose version specifier.

Infection vector: The package's package.json hooks a preinstall script (bw_setup.js) that bootstraps the Bun JavaScript runtime, then silently executes the primary payload (bw1.js).

Anti-sandbox evasion: The malware's first action is checking the host's locale configuration. If Russian is set as the system language, execution halts immediately. This is a standard nation-state or Russian-speaking affiliate tell — developers don't want to accidentally detonate their own tools on their own machines.

Credential harvest scope:

NPM auth tokens (validated before exfiltration)
GitHub personal access tokens and GitHub Actions runner secrets
AWS credentials and secrets manager contents
GCP and Azure service credentials

Self-propagation mechanic (novel and dangerous): Once QLNX has the victim's NPM token, it downloads one of the victim's own published packages, injects the Shai-Hulud payload into the source, and republishes under a new version number. The attack replicates laterally through the victim's own package graph without requiring any additional attacker infrastructure or social engineering.

Exfiltration method: All collected secrets are encrypted with AES-256-GCM using the attacker's asymmetric public key. The ciphertext is uploaded to a newly created public GitHub repository on the victim's own account — meaning the attacker can enumerate repositories globally for Shai-Hulud: The Third Coming strings and pull decrypted results, while the victim's account appears to be hosting the exfil.

Safe version: @bitwarden/cli <= 2026.3.0. Version 2026.4.0 is the only confirmed malicious release.

Quasar Linux RAT (QLNX): The Developer's Silent Tenant

Discovered and named by Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim, QLNX is a Linux implant with a singular design philosophy: arrive on a developer's machine, become invisible, and drain every credential file it can find.

Credential harvest scope (exhaustive):

.npmrc          → NPM tokens
.pypirc         → PyPI publishing credentials
.git-credentials → Git hosting passwords
.aws/credentials → AWS access keys
.kube/config    → Kubernetes cluster access
.docker/config.json → Container registry tokens
.vault-token    → HashiCorp Vault root/service tokens
.terraform/     → Terraform state and provider keys
~/.config/gh/   → GitHub CLI tokens
.env files      → Application secrets, API keys, DB URIs

Any one of these provides supply chain entry. All of them together gives an attacker complete control of a developer's publishing pipeline, cloud infrastructure, and container registries.

Stealth architecture — dual-layer rootkit:

Userland layer: LD_PRELOAD hook that intercepts standard library calls, hiding QLNX processes, files, and sockets from ps, ls, lsof, and netstat
Kernel layer: eBPF-based component that conceals at the kernel level, receiving hide/unhide instructions from C2, ensuring even eBPF monitoring tools see only what the attacker wants

Process masquerading: QLNX impersonates kernel worker threads (kworker/u8:2, ksoftirqd/0) — process names that security teams are conditioned to ignore as benign kernel activity.

Persistence (7 mechanisms):

1. systemd user service

2. crontab entry

3. .bashrc / .zshrc injection

4. XDG autostart

5. PAM module installation

6. LD_PRELOAD in /etc/environment

7. Git hooks in globally configured repositories

PAM backdoor: QLNX installs an inline PAM hook that intercepts plaintext credentials at authentication time — capturing passwords for sudo, SSH logins, and any service using PAM. It also logs outbound SSH session data, giving the attacker everything needed to pivot through the victim's infrastructure.

C2 protocol: Raw TCP, HTTPS, and HTTP — three channels, with automatic failover. Supports 58 distinct operator commands including process injection, SOCKS proxy setup, TCP tunneling, keylogging, screenshot capture, and Beacon Object File (BOF) execution (a Cobalt Strike-compatible feature that indicates ties to commercial offensive tooling ecosystems).

P2P mesh capability: QLNX nodes can form a peer-to-peer mesh, enabling lateral movement through air-gapped developer network segments without direct C2 connectivity.

Delivery vector: Undetermined as of publication. Likely candidates include trojanized package installs (consistent with the broader campaign), phishing targeting developers, or poisoned CI/CD runner images.

The Cross-Registry Campaign: 1,800 Developers, Three Package Ecosystems

A coordinated wave — likely using Shai-Hulud-lineage tooling — hit PyPI (PyTorch Lightning), NPM (intercom-client), and PHP (Packagist) in a single campaign. PyTorch Lightning was compromised for 42 minutes before detection; the intercom-client npm package had wider exposure due to slower detection workflows in that ecosystem.

Combined monthly download count for the two primary packages: approximately 10 million. Even a 0.018% hit rate produces thousands of compromised CI pipelines.

The PyTorch Lightning incident is particularly instructive because it demonstrates both the speed of modern supply chain attacks and the dependency problem: Lightning with a wide version specifier (lightning>=2.6,<3) was the most common use pattern in ML training repositories. Every automated build that ran pip install during that 42-minute window pulled the malicious version — with no user interaction required.

IOCs

Package versions to avoid / uninstall immediately:

|---|---|---|---|

| @bitwarden/cli | NPM | 2026.4.0 | ≤ 2026.3.0 |

QLNX filesystem indicators:

Processes named kworker/u: or ksoftirqd/* running from /tmp/ or /dev/shm/
Unexpected entries in /etc/ld.so.preload
New systemd user services with randomized names in ~/.config/systemd/user/
.bashrc/.zshrc with base64-encoded eval blocks
PAM library files in /lib/security/ not matching package manager hashes

GitHub exfiltration indicators:

New public repositories on developer accounts created programmatically
Repository names matching timestamp patterns
Files named results--.json with envelope/key JSON structure
GitHub search: "Shai-Hulud: The Third Coming" in code

Network indicators (QLNX C2):

Outbound raw TCP to non-standard ports from developer workstations
Unexpected SOCKS proxy traffic originating from build machines
Periodic HTTPS beacons on 60-second intervals to CDN-mimicking domains

Lyrie Take

The Shai-Hulud + QLNX combination represents the next evolution of supply chain attacks: credential theft as a service, delivered through the software ecosystem itself. The attacker doesn't need to breach your network. They breach a developer who contributes to a package your network trusts, and the trust relationship delivers the payload for them.

Three architectural decisions by threat actors stand out as particularly dangerous in 2026:

1. GitHub-as-exfil. Security tools don't block github.com. Encrypted blobs in public repos are indistinguishable from normal user content until you know what search string to look for. This is a durable technique because fixing it would require GitHub to restrict repository creation — a fundamental product regression.

2. Self-propagating through victim's own packages. The Shai-Hulud self-replication mechanic turns compromised developer accounts into attack multipliers. A single infected machine at a popular open-source maintainer produces dozens of downstream package infections without any attacker effort.

3. Fileless + eBPF. QLNX's dual-layer rootkit requires kernel-level visibility to detect reliably. Most developer laptops run no EDR. Most CI runners have no runtime monitoring. The attacker has a detection-free window measured in weeks or months.

The 42-minute window in the PyTorch Lightning incident is actually a success story for registry security automation. The typical window for similar attacks is measured in days.

Defender Playbook

Immediate (if you use @bitwarden/cli, Lightning, or intercom-client):

1. Pin package versions with hash-based lockfiles (package-lock.json, poetry.lock with --exact) — loose semver ranges are a gift to this attack class

2. Rotate all credentials that could have been exposed: npm tokens, GitHub PATs, AWS keys, any .env file secrets

3. Search your GitHub account for unexpected public repositories; revoke any unexpected OAuth tokens

4. Run cat /etc/ld.so.preload — any unexpected library path here = compromise indicator

QLNX-specific detection:

# Check for LD_PRELOAD persistence
cat /etc/ld.so.preload
env | grep LD_PRELOAD

# Check systemd user services for anomalies
systemctl --user list-units --type=service

# Check for suspicious kernel thread names running from /tmp or /dev/shm
ls -la /proc/*/exe 2>/dev/null | grep -E '(tmp|shm)' 

# PAM module integrity check
debsums -c libpam-runtime 2>/dev/null || rpm -Va pam 2>/dev/null

# Check bashrc/zshrc for eval+base64 patterns
grep -E 'eval.*base64' ~/.bashrc ~/.zshrc ~/.profile 2>/dev/null

Structural defenses:

Sigstore/Cosign for package signing verification — if the registry doesn't offer it, pin to hash
SLSA provenance for any package central to your build — verify the provenance document matches your build before trusting
Separate publishing tokens from development tokens — a compromised dev laptop should not have npm publish rights
GitHub Actions: require OIDC for cloud deployments; avoid long-lived secrets in repository settings
CI runner hardening: ephemeral runners only; no persistent credential stores on runners; network egress allow-listing
Developer machine EDR: QLNX is undetectable without kernel telemetry; endpoint agents with eBPF-based monitoring (Falco, Tetragon, or commercial equivalents) are the only reliable detection path
Monitor for registry publish events from your organization's packages via npm/PyPI webhook alerts

Detection rule (Sigma-style):

title: Suspicious process masquerading as kernel thread from tmp/shm
detection:
  condition: process_name_matches AND path_from_tmpfs
  process_name_re: '^(kworker|ksoftirqd|kswapd|kthreadd)/.*'
  path_re: '^(/tmp/|/dev/shm/|/run/user/)'

Sources

1. OX Security — "Inside the Shai-Hulud Supply Chain Attack" (May 2026): https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/

2. The Hacker News — "Quasar Linux RAT Steals Developer Credentials" (May 8, 2026): https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html

3. Let's Data Science — "PyTorch Lightning Supply Chain Attack: 42-Minute PyPI Compromise" (May 2026): https://letsdatascience.com/blog/pytorch-lightning-supply-chain-attack-42-minutes

4. Security Boulevard — "1,800 Developers Hit in Mini Shai-Hulud Supply Chain Attack" (May 2026): https://securityboulevard.com/2026/05/1800-developers-hit-in-mini-shai-hulud-supply-chain-attack-across-pypi-npm-and-php/

5. Trend Micro Research — "Quasar Linux (QLNX): A Silent Foothold in the Software Supply Chain": https://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-foothold-in-the-software-supply-chain.html

6. CSO Online — "Supply-chain attacks take aim at your AI coding agents" (May 2026): https://www.csoonline.com/article/4167465/supply-chain-attacks-take-aim-at-your-ai-coding-agents.html

Lyrie.ai Cyber Research Division — Senior Analyst Desk