XZ Utils backdoor persists in Docker Hub and Debian container images
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers found XZ Utils backdoors persisting in Docker Hub and Debian Docker images, extending CVE-2024-3094 risk beyond the original disclosure. The compromise affected 35 Docker Hub images and 12 Debian Docker images, with infected base images propagating into derivative layers. The exposure matters because the backdoor can enable unauthorized remote access and root command execution over SSH.
Related Happenings
Docker Hub container images leaking secrets across more than 100 organizations
Data Leak
First: 04.02.2026 17:05
Last: 04.02.2026 17:05
Sources 1
About this happening:
Researchers uncovered **more than 10,000 Docker Hub container images** leaking **production API keys, cloud tokens, CI/CD credentials, and AI model access tokens**, putting secret...
Docker Hub container images leaking secrets across more than 100 organizations
Data LeakAbout this happening: Researchers uncovered **more than 10,000 Docker Hub container images** leaking **production API keys, cloud tokens, CI/CD credentials, and AI model access tokens**, putting secret...
SBRMiner-MULTI cryptominer delivered through a malicious Docker Hub image
Malware Activity
First: 17.12.2025 23:48
Last: 17.12.2025 23:48
Sources 1
About this happening:
A **SBRMiner-MULTI** cryptominer was delivered through a **malicious Docker Hub image** that auto-launched on container startup, enabling illicit mining on **AWS EC2** and **ECS**...
SBRMiner-MULTI cryptominer delivered through a malicious Docker Hub image
Malware ActivityAbout this happening: A **SBRMiner-MULTI** cryptominer was delivered through a **malicious Docker Hub image** that auto-launched on container startup, enabling illicit mining on **AWS EC2** and **ECS**...
Jenkins server actively exploited security flaw (CVE-2024-23897)
Vulnerability
First: 16.10.2025 17:28
Last: 16.10.2025 17:28
Sources 1
About this happening:
In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...
Jenkins server actively exploited security flaw (CVE-2024-23897)
VulnerabilityAbout this happening: In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...
Docker expands Hardened Images catalog access with near-zero-CVE subscriptions
Security Tool/Service
First: 08.10.2025 01:09
Last: 08.10.2025 01:09
Sources 1
About this happening:
Docker expanded **Hardened Images** access with a **30-day free trial** and subscription use for all users, making secure container images more accessible to **startups and SMBs**...
Docker expands Hardened Images catalog access with near-zero-CVE subscriptions
Security Tool/ServiceAbout this happening: Docker expanded **Hardened Images** access with a **30-day free trial** and subscription use for all users, making secure container images more accessible to **startups and SMBs**...
Exposed Docker API malware botnet-building tooling
Malware Activity
First: 09.09.2025 22:16
Last: 09.09.2025 22:16
Sources 1
About this happening:
Updated **malware** targeting **exposed Docker APIs** now **self-replicates**, establishes **persistent SSH access**, and **blocks port 2375**, raising the risk of a durable botne...
Exposed Docker API malware botnet-building tooling
Malware ActivityAbout this happening: Updated **malware** targeting **exposed Docker APIs** now **self-replicates**, establishes **persistent SSH access**, and **blocks port 2375**, raising the risk of a durable botne...
Timeline
-
12.08.2025 21:17 1 articles · 9mo ago
XZ Utils backdoor persists in Docker Hub and Debian container images
Initial DisclosureA container-image review traced the **XZ Utils** backdoor into reusable base images pulled from **Docker Hub** and into layered derivatives. The first phase centered on identifying how the malicious payload survived inside image layers and spread through rebuilds.
Show sources
- Researchers Spot XZ Utils Backdoor in Dozens of Docker Hub Images, Fueling Supply Chain Risks — thehackernews.com — 12.08.2025 21:17