DevSecOps company JFrog shared details on a series of malware campaigns targeting Docker Hub, Docker’s cloud-based registry service that hosts and distributes images.
According to JFrog’s findings, nearly 20% of all Docker Hub repositories analyzed hosted malware or malicious content, representing approximately 3 million Docker images out of the total 15 million hosted on the platform. Furthermore, a significant portion of these malicious repositories did not even contain functional Docker images, instead, they served as conduits for hosting metadata or resources facilitating malware operations outside of the Docker Hub ecosystem.
JFrog's security research team has identified three major malware campaigns targeting Docker Hub.
The first campaign, ‘Downloader,’ has been active between the first half of 2021 and September 2023. It lured users with promises of pirated content or cheats for video games. However, the links provided redirect visitors either directly to malicious sources or to legitimate sites housing JavaScript code that delivered malicious payloads.
The second campaign involved E-book phishing and took place in mid-2021. This operation targeted users seeking e-books by redirecting them to a fake website, where victims were asked to enter their financial information under the guise of downloading the desired e-book.
The third campaign spanned from April 2021 to October 2023 and involved thousands of repositories being created daily. Some of the repos contained links to an online diary-hosting service called Penzu, while others displayed seemingly harmless text, suggesting they may have been used for early testing. However, these repositories served as landing pages redirecting users to fraudulent sites or hosting malicious payloads.
The payloads delivered as part of these campaigns are designed to establish contact with command-and-control (C2) servers, sending system metadata and receiving links to cracked software in return.
In addition to the above-mentioned campaign, JFrog uncovered smaller sets of repositories containing fewer than 1000 packages primarily focused on spam and SEO manipulation.
The researchers said that they informed the Docker security team about their findings and all the malicious and unwanted repositories were removed from Docker Hub.