Hidden Threats in Docker Hub: 1,652 Malicious Images Uncovered by Sysdig

Sysdig recently analyzed more than 250,000 Linux container images hosted on Docker Hub and discovered that 1,652 of them contain hidden malicious programs.

Docker Hub, operated by Docker, is the world’s largest public registry for container images, offering official images reviewed by the Docker Library project and a verification program for independent software vendors.

In its study, Sysdig excluded official and verified images, focusing solely on user‑uploaded public images. Among the examined images, the malicious content comprised 608 cryptocurrency‑mining programs, 281 embedded keys, 266 proxy‑avoidance scripts, 134 newly registered domains, 129 known malicious sites, and other threats.

The analysis confirmed that mining programs are the most common type of malicious image. The prevalence of embedded keys—such as SSH keys, AWS credentials, GitHub tokens, or NPM tokens—underscores the importance of credential management; developers may unintentionally or deliberately store such secrets in images. Using sensitive‑data scanning tools is strongly recommended to prevent credential leakage.

SSH public keys are also flagged as embedded keys because when placed in container images they can be used for illicit purposes, such as uploading the key to a remote server to gain unauthorized shell access, effectively acting as a backdoor.

Across various domains, attackers often masquerade as popular brands by using similar names to confuse users; Sysdig identified several such cases in Docker Hub, which turned out to be mining programs.