Go to listing page

Hackers Abuse Docker Hub Repositories to Disguise Malicious Containers

Hackers Abuse Docker Hub Repositories to Disguise Malicious Containers
Threat actors are abusing Docker Hub repositories to upload malicious containers that can help them mine cryptocurrencies and embed secret files supporting backdoors, DNS hijackers, and website redirectors.

The latest discovery

Sysdig researchers performed an analysis of over 250,000 unverified Linux images based on several categories and found 1,652 of them containing nefarious content.
  • The type of content was categorized as cryptomining (608), embedded secrets (281), proxy avoidance (266), newly registered domains (134), malicious websites (129), hacking (38), dynamic DNS (33), and others (288).
  • Based on the type of leaked secret, these images are subcategorized as SSH keys (155), AWS credentials (146), GitHub tokens (134), NPM tokens (24), and others (78).

How does it work?

  • The size of the Docker Hub public library is huge, thus its operators cannot scrutinize all uploads daily. Due to this, many malicious images go unreported.
  • These malicious images used typosquatting to impersonate legitimate and trusted images to infect users with cryptominers, such as XMRig.
  • Although threat actors used different usernames to publish these images, researchers suggest they most likely belong to the same threat actor or are following the same set of instructions.

Recent attacks on Docker

  • At the beginning of this month, a new cryptojacking campaign called Kiss-a-Dog was observed targeting vulnerable cloud infrastructure, including poorly secured Docker and Kubernetes servers.
  • In September, Kinsing malware was seen taking advantage of security flaws in the WebLogic Server, targeting container environments via misconfigured open Docker Daemon API ports.


Abuse of publicly available Docker containers introduces severe risks to unsuspecting users. Hackers deploy malware-laden images on locally hosted or cloud-based containers while hiding something flagitious within their layers. Keeping container-related security woes in mind, users are recommended to be extra cautious while downloading anything and imply automated security update mechanisms for safety and precautions.
Cyware Publisher