Docker Hub Under Siege: Millions of Repos Harbor Malware
Over the past several years, Docker Hub, a platform for hosting software repositories, has been targeted by three major fraudulent campaigns. Researchers from JFrog identified that approximately 20% of the 15 million hosted repositories contained malicious elements—ranging from spam to dangerous malware and links to phishing sites.
Experts discovered about 4.6 million repositories that did not contain Docker images and, consequently, could not be launched using a Kubernetes cluster or Docker engine. Approximately 2.81 million of these were linked to the three major malicious campaigns mentioned above.
The first campaign, known as “Downloader,” utilized automatically generated texts to promote pirated content or cheats for video games, which contained links to malicious software. “This campaign was active during two different periods—in 2021 and 2023, and in both instances, the same malicious executable was used and a task was created in the Windows scheduler,” noted JFrog.
The second campaign, “eBook Phishing,” encompassed nearly a million repositories and offered free downloads of e-books with randomly generated descriptions and URLs. However, instead of downloading a book, users were redirected to a phishing page where they were required to enter their credit card information.
In the third campaign, “Website SEO,” which appeared less malicious, several repositories were created daily, all with the identical name: “website.” “It is possible that this campaign was used as a type of test load before launching truly malicious campaigns,” JFrog speculated.
In addition to the major campaigns, experts also uncovered smaller ones, involving repositories each containing no more than 1,000 packages, primarily aimed at distributing spam and SEO content.
JFrog alerted Docker’s security team to their findings, which included 3.2 million repositories suspected of hosting malicious or unwanted content. In response, Docker has already removed all suspicious repositories from Docker Hub.
“Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub’s platform credibility, making it more difficult to identify the phishing and malware installation attempts,“ added JFrog, emphasizing the need for ongoing moderation of such platforms.
