Docker Hub images downloaded 20M times come with cryptominers


Level 72
Content Creator
Malware Hunter
Aug 17, 2014
Researchers found that more than two-dozen containers on Docker Hub have been downloaded more than 20 million times for cryptojacking operations spanning at least two years.

Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects.

Aviv Sasson, part of the Palo Alto Networks threat intelligence team, Unit 42, discovered on Docker Hub 30 malicious images that are involved in cryptojacking operations.

The researcher found that they came from 10 different accounts. Some of them have names that clearly indicate their purpose, while others have misleading names like "proxy" or "ggcloud" or "docker."

Images from all but one account continue to be available on Docker Hub at the moment of writing. The owner of one account called "xmrigdocker" appears to have pulled their images from the registry. [...]
The full list of malicious Docker images that Sasson found is available in Unit 42's blog post.