Hackers Exploit RCE Flaws in Qinglong Task Scheduler for Cryptomining

Qinglong, a self‑hosted task scheduling platform favored by Chinese developers, has become a critical piece of many CI/CD pipelines. Its popularity—over 19,000 GitHub stars and 3,200 forks—means that a security flaw can ripple across a wide ecosystem. The root cause of the two disclosed CVEs lies in an assumption mismatch: the authentication middleware treats URL paths as case‑sensitive, while Express.js routing resolves them case‑insensitively. This subtle discrepancy opened an unauthenticated path to admin APIs, allowing remote code execution without user interaction.

The exploitation timeline shows a classic cryptomining campaign. Researchers at Snyk observed malicious activity as early as February 7, well before public disclosure. Attackers leveraged the bypass to modify Qinglong’s config.sh, pulling miner binaries from a remote host (file.551911.xyz) and executing them under a deceptive process name, ".fullgc," to hide in plain sight. Infected systems reported CPU utilization spikes between 85% and 100%, degrading performance for legitimate workloads. The campaign targeted both bare‑metal and Nginx‑proxied deployments, demonstrating that even SSL‑terminated setups are not immune when the underlying application logic is flawed.

The response underscores the challenges of maintaining open‑source security. The maintainer’s initial pull request #2924 attempted to block command‑injection patterns but did not address the underlying auth bypass, prompting continued infections. The definitive fix arrived with PR #2941, which realigned middleware checks with Express.js routing behavior. This incident serves as a cautionary tale for DevOps teams: regular dependency audits, timely patch application, and thorough testing of authentication flows are essential to prevent similar supply‑chain attacks. As open‑source components proliferate, organizations must treat them with the same rigor as proprietary software to safeguard operational integrity.