"Docker Hub Repositories Hide Over 1,650 Malicious Containers"

More than 1,600 publicly available Docker Hub images conceal malicious behavior, such as cryptocurrency miners, embedded secrets that can be used as backdoors, Domain Name System (DNS) hijackers, and website redirectors. Docker Hub is a cloud-based container library that allows users to search for and download Docker images as well as upload their own creations to the public library or personal repositories. Docker images are templates for creating containers with ready-to-use code and applications quickly and easily. As a result, those looking to start new instances often use Docker Hub to find an easily deployable application. However, due to threat actors abusing the service, over a thousand malicious uploads pose serious risks to unsuspecting users deploying malware-laden images on locally hosted or cloud-based containers. Many malicious images are disguised as popular and trustworthy projects by their names, indicating the threat actors uploaded them to trick users into downloading them. Sysdig researchers explored the issue, attempting to assess the scope of the problem, and reported on images discovered to contain malicious code or mechanisms. Aside from images verified to be trustworthy by the Docker Library Project, the service hosts hundreds of thousands of images with an unknown status. Sysdig examined 250,000 unverified Linux images with its automated scanners and identified 1,652 of them as malicious. The most prevalent category was cryptocurrency miners, which were found in 608 container images. Images with embedded secrets were the second most common occurrence, accounting for 281 cases. SSH keys, AWS credentials, GitHub tokens, NPM tokens, and other secrets are embedded in these images. This article continues to discuss the discovery of over 1,600 malicious containers hidden by Docker Hub repositories.

Bleeping Computer reports "Docker Hub Repositories Hide Over 1,650 Malicious Containers"