2 min

Tags in this article

, ,

Security researchers warn developers about shared container images. This after finding malicious activity in 1652 publicly available Docker Hub images.

Sysdig researchers sound the alarm in their analysis. Developers in particular should pay attention, as they often use publicly available container images. This allows them to speed up time to market. Docker Hub, in this case, is a popular free container registry.

Malware in images

Now cybercriminals appear to be hiding malware in seemingly legitimate images in Docker Hub. In particular, it involves cryptomining and embedded secrets. The latter can include SSH keys, AWS credentials, GitHub tokens and NPM tokens. “Secrets can be embedded in an image due to unintentionally poor coding practices or this could be done intentionally by a threat actor,” Sysdig said.

Sysdig indicates that by embedding an SSH key or API key in a container, hackers can gain access once the container is deployed. To prevent accidental leakage of login credentials, Sysdig recommends sensitive data scanning tools. These can signal when something goes wrong.

Other malicious image categories include proxy avoidance, newly registered domains, malicious Web sites, hacking and dynamic DNS.


Sysdig analyzed 250,000 Linux images to understand what malicious payloads are hidden in container images on Docker Hub. 1652 of them turn out to be dangerous to developers as a result.

The researchers warn that cybercriminals hide malware by imitating the name of popular open source software. The methods used particularly target cloud and container workloads. Therefore, organizations deploying such workloads are wise to act carefully. This can be done, for example, by scanning the images for potential malware.

ALso read: Docker adds support for WebAssembly to Docker Desktop