Malicious containers prevalent in Docker Hub repositories

Malicious behaviors have been found in 1,652 of 250,000 unverified Linux images that are publicly available in Docker Hub, reports BleepingComputer. Cryptominers accounted for the most number of malicious images, followed by images with embedded secrets, including SSH keys, Amazon Web Services credentials, GitHub tokens, and NPM tokens, according to a Sysdig report. Injection of embedded secrets on public images may either be accidental or intentional, said Sysdig researchers. "By embedding an SSH key or an API key into the container, the attacker can gain access once the container is deployed... For instance, uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and run commands via SSH, similar to implanting a backdoor," Sysdig said. Typosquatting has also been leveraged for cryptominer-laced images that masqueraded as trusted images. Security risk from Docker Hub images is only expected to increase amid the growing usage of public repository-based images on the platform.