Docker Repositories: Pushing malwares and phishing sites? Here is the full scoop. Quick Look

In a shocking revelation, millions of Docker repositories have been found pushing malware and phishing sites. This alarming trend has been observed since early 2021.

The Discovery of malware in Docker Repositories

Security researchers at JFrog discovered that around 20% of the 15 million repositories hosted by Docker Hub contained malicious content. This content ranged from spam to dangerous malware and phishing sites. The researchers discovered almost 4.6 million repositories containing no Docker images. These couldn’t be run using a Kubernetes cluster or a Docker engine.

The Malicious Campaigns

The researchers linked approximately 2.81 million repositories to three large malicious campaigns. Each of these campaigns used different tactics to create and distribute the malicious repositories.

The Downloader Campaign

The “Downloader” campaign contained automatically generated texts with SEO text promoting pirated content or cheats for video games. It also included links to the software. This campaign operated in two distinct rounds, circa 2021 and 2023. Both rounds used exactly the same malicious payload, a malicious executable that most antivirus engines detect as a generic Trojan.

The eBook Phishing Campaign

The “eBook Phishing” campaign created nearly a million repositories offering free eBook downloads. These repositories contained randomly generated descriptions and download URLs. After promising a full free version of an eBook, the website redirects the targets to a phishing landing page asking them to enter their credit card information.

The Website SEO Campaign

The “Website SEO” campaign’s aim is unclear. While the content is mostly harmless, all repositories have the same name: “website”. “It is possible that the campaign was used as some sort of a stress test before enacting the truly malicious campaigns,” said JFrog.

The Aftermath

JFrog alerted the Docker security team of their findings. Docker has since removed all the repositories from Docker Hub. “Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub’s platform credibility, making it more difficult to identify the phishing and malware installation attempts,” JFrog added.

Conclusion

This incident showcases the need for enhanced moderation on Docker Hub and greater community involvement in detecting and mitigating malicious activity. As Murphy’s Law suggests, if something can be exploited by malware developers, it inevitably will be. Therefore, we can expect that these campaigns can be found in more repositories than just Docker Hub.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.