Millions of Malicious Containers Found on Docker Hub

Written by

Three large-scale malware campaigns have infiltrated Docker Hub, deploying millions of malicious “imageless” containers.

The data comes from JFrog’s security research team, which recently revealed a concerning trend within Docker Hub.

The platform, known for facilitating Docker image development, collaboration and distribution, hosts over 12.5 million repositories. However, according to JFrog, approximately 25% of these repositories lack useful functionality and serve instead as vehicles for spam, pirated content promotion and malware dissemination.

According to the report published today, the attack on Docker Hub exploited its community features, allowing users to publish repositories with only documentation pages, devoid of actual container images. Disguised as legitimate content, these documentation pages lead unsuspecting users to phishing and malware-hosting websites.

To identify these malicious repositories, the research team analyzed the creation patterns of Docker Hub images over the past five years. They discovered anomalies in repository creation, identifying over three million imageless repositories, constituting 20% of all public repositories.

Further investigation revealed three main malware campaigns: the “Downloader” campaign, which offers pirated content and game cheats; the “eBook Phishing” campaign, which lures users with free eBook downloads to steal credit card information; and the “Website” campaign, characterized by randomly generated repositories containing benign descriptions.

Each campaign employed distinct tactics to evade detection, such as URL shorteners and open redirect bugs. The payloads of these campaigns, predominantly Trojans, communicated with command-and-control (C2) servers to download additional malware and execute persistent tasks on infected systems.

Read more on similar threats: New Malware Campaign Exploits 9hits in Docker Assault

“The most concerning aspect of these three campaigns is that there is not a lot that users can do to protect themselves at the outset other than exercising caution,” warned Andrey Polkovnichenko, security researcher at JFrog. “We’re essentially looking at a malware playground that, in some cases, has been three years in the making.”

These findings have significant implications, highlighting the need for enhanced moderation on Docker Hub and greater community involvement in detecting and mitigating malicious activity. 

“These threat actors are highly motivated and are hiding behind the credibility of the Docker Hub name to lure victims,” Polkovnichenko added.

“As Murphy’s Law suggests, if something can be exploited by malware developers, it inevitably will be, so we expect that these campaigns can be found in more repositories than just Docker Hub.”

What’s hot on Infosecurity Magazine?