In early 2026, the Qinglong task scheduler, a prominent open-source tool, became the target of hackers due to two critical authentication bypass vulnerabilities. These flaws allowed attackers to gain unauthorized access, leading to remote code execution and the installation of a cryptominer known as .fullgc.
Understanding the Qinglong Task Scheduler
Qinglong is widely used as a self-hosted task scheduling dashboard, supporting various scripting languages like Python 3 and JavaScript. It has garnered significant attention, particularly among developers in China, amassing over 19,000 stars on GitHub. Typically, users deploy Qinglong on cloud virtual private servers and home networks using Docker containers, making it a popular choice for automated task management.
However, vulnerabilities in the platform’s authentication system have been exploited, leading to unauthorized modifications and the deployment of malicious software.
Details of the Cryptomining Campaign
By February 7, 2026, server administrators noticed unusual activities, including CPU spikes reaching full capacity. Attackers exploited unpatched vulnerabilities to modify configuration scripts in Qinglong, downloading the .fullgc cryptominer disguised as a Java garbage collection process. This tactic delayed detection while the malware drained system resources.
The vulnerabilities resided in Qinglong versions 2.20.1 and earlier. Snyk researchers identified that these flaws resulted from discrepancies between security middleware assumptions and the Express.js framework’s routing behavior. Notably, CVE-2026-3965 and CVE-2026-4047 were the key vulnerabilities that attackers leveraged to bypass security protocols.
Response and Mitigation Efforts
The issue primarily went unnoticed within the English-speaking security community until it caused significant disruptions among developers. Between February 7 and March 1, 2026, the community reported multiple incidents of the .fullgc cryptominer causing severe server issues. On February 10, a public warning was issued, and by February 27, researchers disclosed the authentication bypass vulnerabilities as the root cause.
To combat this threat, GitHub contributors initially attempted to filter malicious inputs. However, these efforts were insufficient against the fundamental access control flaws. Eventually, the maintainers addressed the vulnerabilities by correcting the middleware’s authentication logic, urging users to update their systems promptly.
To protect their systems, operators are advised to update Docker containers, audit for hidden .fullgc files, and secure their self-hosted panels with VPNs. Staying informed through trusted cybersecurity channels is also recommended to prevent future incidents.
