Over a thousand Docker container images found hiding malicious content

malware
(Image credit: Elchinator from Pixabay )
Audio player loading…

Over a thousand container images hosted on the popular database repository Docker Hub are malicious, putting users at risk of cyberattack, experts have warned.

According to a report from Sysdig (opens in new tab), the images contained nefarious assets such as cryptominers, backdoors, and DNS hijackers. 

Container images are essentially templates for creating applications quickly and easily, without having to start from scratch when reusing certain features. Docker Hub allows users to upload and download these images to and from its public library.

Types of malware

The Docker Library Project reviews images and verifies those it deems to be trustworthy, but there are plenty that remain unverified. Sysdig automatically scanned a quarter of a million unverified Linux images, and found 1,652 to be hiding harmful elements. 

Cryptomining was the most common kind of malicious implant, present in 608 of its scanned images. Next were embedded secrets, such as AWS credentials, SSH keys, GitHub and NPM tokens. These were found in 208 of the images.

Sysdig commented that these embedded keys mean that, “the attacker can gain access once the container is deployed… uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and run commands via SSH, similar to implanting a backdoor.”

Typosquatting was a popular and successful tactic used by threat actors in the compromised images - slightly misspelt versions of popular and trusted images in the hopes that potential victims will not notice and download their fraudulent version instead. 

Indeed, it worked at least 17,000 times, as this was the combined number of downloads of two typosquatted Linux images.

Sysdig claims that there has been a 15% rise this year in the amount of images pulled from the public library, so it looks as if the problem isn’t going away anytime soon.  

Lewis Maddison
Graduate Junior Writer

Lewis Maddison is a Graduate Junior Writer at TechRadar Pro. His coverage ranges from online security to the usage habits of technology in both personal and professional settings.


His main areas of interest lie in technology as it relates to social and cultural issues around the world, and revels in uncovering stories that might not otherwise see the light of day.


He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.