Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Exposed Docker API XMRig miner dropper

Malware Activity
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

A binary dropper carrying XMRig was deployed through exposed Docker APIs, turning compromised containers into cryptocurrency-mining infrastructure and increasing the risk of follow-on host abuse. The payload bundled wallet information, mining pool URLs, and execution arguments, so it could start mining without downloading external components. The same intrusion path also supported Tor routing, SSH modification, and additional scanning for open 2375 services.

Related Happenings

CanisterWorm self-propagation across npm packages

Malware Activity
First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

Aqua Security hit by data theft breach

Incident
First: 20.03.2026 19:47 Last: 20.03.2026 19:47 Sources 1

About this happening: The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...

Latest development: 23.03.2026 10:31

TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.

Open Happening

GhostLoader RAT-stealer via @openclaw-ai/openclawai

Malware Activity
First: 09.03.2026 20:31 Last: 09.03.2026 20:31 Sources 1

About this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...

Open Happening

TeamPCP cloud-native exploitation campaign

Campaign
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...

Latest development: 23.03.2026 10:31

Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.

Open Happening

Docker Ask Gordon AI assistant Meta-Context Injection security flaw

Vulnerability
First: 03.02.2026 17:15 Last: 03.02.2026 17:15 Sources 1

About this happening: **Docker's Ask Gordon AI assistant** is affected by **Meta-Context Injection**, where unverified metadata can be turned into executable instructions. The flaw creates **critical R...

Open Happening

Timeline

  1. 09.09.2025 17:01 2 articles · 8mo ago

    Threat actors deploy XMRig miner dropper through exposed Docker APIs

    Technical Analysis Update

    Threat actors exploit exposed Docker APIs on compromised Docker hosts to query containers, create Alpine-based containers, mount the host root, set up Tor and socks5h routing, modify SSH configuration for backdoor access, and deploy a binary dropper that carries an XMRig cryptocurrency miner with embedded wallet information, mining pool URLs, and execution arguments.

    Show sources
    Open in new tab