September 22, 2023

Researchers are given a warning on using shared container images, after finding 1652 on Docker Hub hiding nefarious content.

Containers are increasingly popular among the developer community as they’re lightweight, and easy to deploy and scale across different computing environments. DevOps teams often use publicly available container images that have been shared by others, to speed up time-to-market. The most popular free container registry is Docker Hub.

The threat actors are hiding malware in legitimate-looking images stored in Docker Hub. Although the number of malicious containers it found was a small percentage of the 250,000 analyzed during the research, they illustrate the potential risk to developers.


The most common malware types related to crypto-mining (37%), followed by embedded secrets (17%). These secrets are most commonly SSH keys, AWS credentials Github tokens and NPM tokens. Other common malicious image categories included proxy avoidance (16%), newly registered domains (8%) and malicious websites (8%).

The attacker can gain access once the container is deployed by embedding an SSH key or an API key. To prevent accidental leakage of credentials, sensitive data scanning tools can alert users as part of the development cycle.

Threat actors often hide their malware by naming images to mimic popular open-source software, in the hope that a careless developer will fall for the trick. It is recommended that the developers to take preemptive action, to scan publicly available images for potential threats.

This research was documented by researchers from Sysdig

Leave a Reply

%d bloggers like this: