Active Exploitation in the Wild: Critical Qinglong Bypasses Fuel Covert Cryptomining Campaign

Security researchers at Snyk have issued a warning regarding active, in-the-wild exploitation of Qinglong (青龙), a widely used open-source task management platform. With over 19,000 GitHub stars, the platform has become a prime target for attackers who are leveraging two critical authentication bypass vulnerabilities to deploy cryptocurrency miners.

Starting in early February 2026, users began reporting that their servers were “maxing out CPU usage” due to a mysterious hidden process named .fullgc. While initially prominent in Chinese developer forums, the threat poses a significant risk to any organization running unpatched versions of the software on cloud VPS or home servers.

The campaign exploits two distinct flaws in Qinglong version 2.20.1 and earlier, both stemming from how the application’s security middleware interacts with the Express.js framework.

• URL Rewriting Bypass (CVE-2026-3965): A flaw in request handling allowed attackers to “reinitialize admin credentials with a single unauthenticated request”. By simply sending a crafted command to a specific endpoint, an attacker could reset the admin password and gain total control.
• Case-Sensitivity Bypass (CVE-2026-4047): This vulnerability exploits a mismatch where the authentication layer uses case-sensitive matching while the underlying framework does not. Attackers discovered that “requesting /aPi/ instead of /api/ bypasses the auth check entirely,” granting unauthenticated remote code execution (RCE).

As the Snyk report explains, “Both vulnerabilities stem from a mismatch between the security middleware’s assumptions and the framework’s behavior… when authorization logic operates on a different view of the request than the routing layer, bypasses can easily arise”.

Once attackers gain unauthenticated access, they modify the platform’s configuration files to inject a malicious shell script. The script then downloads a platform-specific binary from an external domain, supporting Linux, ARM64, and macOS.

The choice of the filename .fullgc is particularly deceptive. In Java environments, a “Full GC” (Full Garbage Collection) is a legitimate process known for causing temporary CPU spikes. By mimicking this behavior, the malware “could delay an administrator’s investigation” into why their server is suddenly running at 100% capacity.

While initial community attempts to fix the issue focused on blocking specific commands like curl or wget, the project maintainers eventually addressed the root cause at the middleware level. Snyk notes that prioritizing the access control fix over simple payload blocking reflects “the correct security practice”.

If you run Qinglong, check for these signs of compromise immediately:

• Hidden Binaries: Search for the miner at /ql/data/db/.fullgc.
• Config Tampering: Check config.sh for references to “fullgc” or the “551911” domain.
• CPU Spikes: Audit active processes for any fullgc background tasks.

Users who find signs of infection are urged to delete mapped Docker volumes entirely, clean their configuration files, and recreate their containers using the latest patched image.