Listen to this Post
Introduction
A popular open-source automation platform used by thousands of developers has become the latest target of cybercriminals. Qinglong, a self-hosted task scheduling and management tool widely adopted in developer communities, is now under active attack after hackers discovered two serious authentication bypass vulnerabilities. These flaws allowed attackers to access protected admin functions without logging in, opening the door to remote code execution and malware installation.
Security researchers revealed that exploitation began before the vulnerabilities were publicly disclosed, showing once again how quickly threat actors move when they identify weaknesses in commonly used open-source software. The campaign focused on hijacking servers to run cryptocurrency mining malware, consuming system resources and potentially exposing broader infrastructure to compromise.
Attackers Target Qinglong Before Public Disclosure
Researchers at Snyk reported that exploitation activity began in early February, weeks before the security flaws were publicly announced later that month. This suggests attackers either independently discovered the issues or identified them through early patch analysis.
Qinglong is especially popular among Chinese developers and open-source enthusiasts. It has more than 19,000 stars on GitHub and has been forked over 3,200 times, showing strong adoption and a large user base.
Because many users self-host Qinglong on cloud servers or VPS environments, exposed panels became attractive targets for automated scanning and exploitation.
Two Vulnerabilities Combined for Full Server Access
The attack relied on chaining two separate vulnerabilities affecting Qinglong version 2.20.1 and earlier.
The first flaw, CVE-2026-3965, involved a misconfigured rewrite rule. Requests sent to /open/ were incorrectly routed to protected /api/ endpoints, unintentionally exposing administrative functions through a path that required no authentication.
The second flaw, CVE-2026-4047, came from inconsistent handling of uppercase and lowercase URL paths. The authentication system treated /api/ as case-sensitive, while Express.js routing accepted mixed-case paths like /aPi/, allowing attackers to bypass security checks.
When combined, these issues gave attackers unauthorized access to protected functions and the ability to execute commands remotely.
Why the Bugs Happened
According to researchers, both problems came from a mismatch between security middleware assumptions and Express.js routing behavior.
In simple terms, the security layer expected URLs to behave one way, while the web framework processed them differently. These subtle inconsistencies often become dangerous when developers rely on custom access control rules instead of centralized, tested authorization methods.
This type of flaw is increasingly common in modern web apps where middleware stacks, proxies, reverse proxies, and routing layers interact in unexpected ways.
Cryptominer Hidden as a Legitimate Process
Victims first noticed suspicious activity through a hidden process named .fullgc, which consumed between 85% and 100% of CPU resources.
The chosen name was clever. It mimicked “Full GC,” a legitimate garbage collection process often seen in Java environments. Since Full GC can naturally consume heavy resources, administrators may dismiss the warning signs rather than investigate immediately.
That camouflage gave attackers valuable time to keep mining cryptocurrency in the background.
How the Malware Was Installed
Researchers found that attackers modified Qinglong’s config.sh file and inserted malicious shell commands.
Those commands downloaded a mining binary into:
/ql/data/db/.fullgc
The malware was then launched silently in the background, allowing the infected machine to begin mining immediately.
The malicious infrastructure reportedly hosted multiple versions of the miner for Linux x86_64, ARM64, and macOS systems. That cross-platform support suggests a well-prepared campaign rather than a casual attack.
Infections Continued Across Multiple Setups
The attacks were not limited to one type of deployment. Researchers confirmed infections on several configurations, including systems protected by Nginx and SSL.
This is important because many administrators assume using HTTPS or placing an application behind a reverse proxy automatically improves security. While these layers help, they do not protect against vulnerabilities inside the application itself.
If the core software contains authentication bypass flaws, external protections may do little to stop direct abuse.
Delayed and Incomplete Response
Qinglong maintainers reportedly responded publicly on March 1 and advised users to update.
However, the first mitigation focused mainly on blocking command injection patterns. Researchers later stated that this was not enough because it did not fully resolve the authentication bypass root cause.
The effective repair reportedly arrived in a later patch that corrected middleware authorization logic.
This sequence highlights a recurring challenge in open-source security response: fixing symptoms first while deeper architectural flaws remain exposed.
What Users Should Do Immediately
Anyone running Qinglong should update to the latest secure version immediately.
Administrators should also:
Review CPU usage history for unexplained spikes
Search for hidden processes such as .fullgc
Inspect config.sh for unauthorized modifications
Audit scheduled tasks and shell scripts
Rotate credentials stored on the server
Restrict public access to admin panels
Use VPN or IP allowlists for management interfaces
If compromise is suspected, rebuilding the server from a clean image is safer than simply deleting the miner.
What Undercode Say:
This incident is another reminder that attackers increasingly target developer tools rather than traditional enterprise software. Developers often deploy automation dashboards, CI/CD tools, task schedulers, and monitoring panels quickly, sometimes without enterprise-grade hardening.
Qinglong became attractive because it sits in a valuable position: connected to scripts, credentials, tokens, and server resources. Even if attackers only deployed a miner this time, the same access could be used for data theft, lateral movement, or supply-chain compromise.
The most dangerous part of this breach is not the miner. It is the authentication bypass. Mining malware is noisy and visible because it burns CPU. A stealthier attacker could have quietly stolen secrets, modified scripts, or inserted backdoors.
Another lesson is that open-source popularity creates visibility for attackers. Once a project gains thousands of stars and forks, it becomes worth scanning globally for exposed instances.
The routing mismatch also reflects a common engineering problem. Many teams trust frameworks without fully understanding edge cases like path normalization, case sensitivity, reverse proxy rewrites, or middleware order. These tiny logic gaps often create severe vulnerabilities.
Organizations should inventory all self-hosted developer tools the same way they inventory production applications. If a server runs internal automation software with internet exposure, it should be treated as critical infrastructure.
Fast patching is also essential. In many real-world attacks, exploitation begins before official advisories spread widely. Waiting for social media discussion or community confirmation can be costly.
Finally, this case shows why monitoring matters. The first clues came from users noticing abnormal CPU usage. Without performance monitoring, infections could have continued for months.
Fact Checker Results
✅ Two Qinglong vulnerabilities were reportedly chained to achieve unauthorized access and remote command execution.
✅ Malware disguised as .fullgc aligns with common attacker evasion tactics using familiar system process names.
❌ SSL, Nginx, or reverse proxies alone do not fix application-layer authentication flaws.
Prediction
🔮 More attackers will shift focus toward open-source admin panels and developer dashboards in 2026.
🔮 Authentication bypass bugs in self-hosted tools will become a major ransomware and botnet entry point.
🔮 Projects with rapid growth but limited security review will face increasing real-world exploitation.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
