Experts Find 1600+ Malicious Docker Hub Images

Written by

Security researchers have warned developers of the dangers of using shared container images, after finding 1652 on Docker Hub hiding nefarious content.

Containers are increasingly popular among the developer community as they’re lightweight, and easy to deploy and scale across different computing environments.

As with the use of open source code repositories, DevOps teams often use publicly available container images that have been shared by others, to speed up time-to-market. The most popular free container registry is Docker Hub.

However, Sysdig warned in a new report that threat actors are hiding malware in legitimate-looking images stored in Docker Hub. Although the number of malicious containers it found was a small percentage of the 250,000 analyzed during the research, they illustrate the potential risk to developers.

The most common malware types related to crypto-mining (37%), followed by embedded secrets (17%). These secrets are most commonly SSH keys, AWS credentials Github tokens and NPM tokens, it said.

“Secrets can be embedded in an image due to unintentionally poor coding practices or this could be done intentionally by a threat actor,” the report noted.

“By embedding an SSH key or an API key into the container, the attacker can gain access once the container is deployed. To prevent accidental leakage of credentials, sensitive data scanning tools can alert users as part of the development cycle.”

Sysdig also warned that threat actors often hide their malware by naming images to mimic popular open source software, in the hope that a careless developer will fall for the trick.

Other common malicious image categories included proxy avoidance (16%), newly registered domains (8%) and malicious websites (8%).

The vendor urged developers to take preemptive action, to scan publicly available images for potential threats.

“The methods employed by malicious actors described by Sysdig are specifically targeted at cloud and container workloads,” it concluded.

“Organizations deploying such workloads should ensure that they enact appropriate preventative and detective security controls that are capable of mitigating cloud-targeting attacks.”

Editorial credit icon image: Sundry Photography /

What’s hot on Infosecurity Magazine?