Security researchers at JFrog have uncovered alarming revelations about Docker Hub, one of the largest repositories for Docker images. According to their findings, since early 2021, Docker Hub has been infiltrated by three large-scale campaigns, resulting in millions of repositories pushing malware and phishing sites.
Out of the 15 million repositories hosted by Docker Hub, approximately 20% contained malicious content, including spam, dangerous malware, and phishing sites. This staggering figure underscores the severity of the issue and highlights the need for enhanced security measures.
The JFrog researchers identified almost 4.6 million repositories that contained no Docker images, rendering them unusable with Kubernetes clusters or Docker engines. Among these, around 2.81 million repositories were linked to three major malicious campaigns: “Website SEO,” “Downloader,” and “eBook Phishing.”
The “Downloader” campaign, operating in two rounds since 2021, promoted pirated content and cheats for video games through automatically generated SEO text. Upon execution, the malware payload prompts users to download and install advertised software while secretly downloading malicious binaries and scheduling their execution on compromised systems.
In the case of the “eBook Phishing” campaign, nearly a million repositories offered free eBook downloads but redirected users to phishing landing pages requesting credit card information after promising a full free version of the eBook.
While seemingly harmless, the “Website SEO” campaign created repositories with identical names containing benign content. This campaign’s purpose remains unclear, but JFrog speculates it may have served as a test run for more malicious activities.
In addition to these large-scale campaigns, smaller repositories with fewer than 1000 packages were discovered, primarily focused on spam and SEO content.
Upon discovering these security breaches, JFrog promptly alerted the Docker security team, who subsequently removed all 3.2 million suspicious repositories from Docker Hub. This swift action highlights the importance of constant vigilance and moderation on platforms like Docker Hub to prevent malicious activities.
The attackers behind these campaigns exploited Docker Hub’s platform credibility to deceive users, making identifying phishing and malware installation attempts challenging. With nearly three million malicious repositories active for over three years, this incident underscores the urgent need for enhanced security measures and continuous monitoring on Docker Hub and similar platforms.
