Hackers abuse container technology to execute supply chain attacks

News
By
published

Malicious container images were hidden in plain sight on Docker Hub

containers
(Image credit: Pixabay)

Cybercriminals have begun using malicious container images as a means to install cryptominers on enterprise networks though they can also be used as part of a supply chain attack targeting cloud native environments.

The cybersecurity firm Aqua Security uncovered several supply chain attacks that use malicious container images to compromise their victims when its threat research team, Team Nautilus was performing its daily scan of Docker Hub for malicious activity according to a new blog post.

The first three container images the research team discovered (thanhtudo, thieunutre and chanquaa) all execute a script called dao.py which is written in Python and was previously used in several campaigns that leveraged typo squatting to hide their malicious container images on Docker Hub.

The dao.py script executes a binary called xmrig that is actually a Monero cryptocurrency miner hidden in one of the layers of the container image.

Malicious container images

Two of the container images (openjdk and golang) discovered by Aqua Security use misleading titles to appear as official container images from OpenJDK and Golang respectively. 

The cybercriminals behind this campaign designed them in such a way that a busy user may accidentally mistake them as official container images despite the fact that their Docker Hub accounts are not official. After running these container images, the binary xmrig is executed which hijacks network resources for cryptocurrency mining.

Although the first two container images (thanhtudo and thieunutre) are likely intended to be used as part of a supply chain attack, the others are used primarily to mine cryptocurrency. Still though, all five malicious container images have gained over 120,000 pulls from Docker Hub.

In order to protect your organization and its network from both cryptominers and supply chain attacks, Aqua Security recommends controlling access to public registries, scanning container images for malware using both static and dynamic analysis and digitally signing container images to maintain image integrity.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
Trojan
Hackers hide malware into website images to go unnoticed
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
Half man, half AI.

Three key AI considerations for engineering leaders
See more latest
Most Popular
Vodafone logo outside a store in Sydney
Vodafone employees could lose bonuses if they’re not in office 8 days per month
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Ryzen AI Max+ 395
Race to launch most powerful AI mini PC ever heats up as GMKTec confirms Ryzen AI Max+ 395 product for May 2025
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Whirlwind I Computer
Happy birthday, Director! The first operating system in the world turns 70 today
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
Tesla Model 3
Tesla's EV sales are plummeting – as used Model Y and Model 3 prices crash to bargain levels
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound