Backdoored images downloaded 5 million times are finally removed from Docker Hub

Share this…


A single account published 17 images whit malicious content for more than 10 months, generating 90.000 dollars.

A person or group of people could have won about 90.000 dollars for 10 months by disseminating 17 images with malicious content that were downloaded more than 5 million times from Docker Hub, according to specialist reports. The repository finally eliminated these submissions in May, more than eight months after receiving the first complaint.

Docker images are packages that usually include a pre-configured application that runs in an operating system. In July and August, one or more people, using the Docker Hub docker123321 account, loaded three publicly available images containing code to undermine cryptocurrency. In September, a GitHub user complained that one of the images contained a backdoor.

Without doing anything for eight months                                                   

Neither the Docker Hub account nor the malicious images that it sent were deleted. In the next few months, the account sent 14 more malicious images. The submissions were publicly evidenced in January by the security firm Sysdig and again in May by the information security company. Eight days after last month’s report, Docker Hub finally eliminated the images.

By the time Docker Hub removed the images, they had already presented more than 5 million interactions on the platform, which meant for these people almost 545 Monero units, with value of up to 90.000 dollars.

This malicious contain images campaign, reviewed in detail by the information security company on its blog, means an alert signal to developers in their work.

Specialists warn that, even though the images have been removed from Docker Hub, many servers that have installed them may still be infected. Information security experts from the International Institute of Cyber Security comment that this malware is able to continue working even after the administrators delete the image with backdoor. The advice for anyone who has downloaded content from the docker123321 account is to analyze their equipment and look for traces of any possible information security infection.