SBRMiner-MULTI cryptominer delivered through a malicious Docker Hub image
Malware Activity
Summary
Hide ▲
Show ▼
A SBRMiner-MULTI cryptominer was delivered through a malicious Docker Hub image that auto-launched on container startup, enabling illicit mining on AWS EC2 and ECS instances. The setup helped the operator mine cryptocurrency while compromised IAM credentials gave access to customer cloud environments. Amazon removed the image after detecting the activity, but warned that similar images could be republished under new names.
Related Happenings
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Developer environments using KICS data exposed after Checkmarx breach
Data Leak
First: 23.04.2026 19:05
Last: 23.04.2026 19:05
Sources 1
About this happening:
The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...
Developer environments using KICS data exposed after Checkmarx breach
Data LeakAbout this happening: The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...
LiteLLM PyPI credential-stealing malware compromise
Malware Activity
First: 25.03.2026 14:00
Last: 25.03.2026 14:00
Sources 1
About this happening:
The **LiteLLM** package on **PyPI** was compromised with **credential-stealing malware**, putting downstream environments at risk of secret theft and persistence. Malicious releas...
LiteLLM PyPI credential-stealing malware compromise
Malware ActivityAbout this happening: The **LiteLLM** package on **PyPI** was compromised with **credential-stealing malware**, putting downstream environments at risk of secret theft and persistence. Malicious releas...
TeamPCP infostealer in compromised Trivy Docker Hub images
Malware Activity
First: 23.03.2026 17:05
Last: 23.03.2026 17:05
Sources 1
About this happening:
**TeamPCP infostealer** was found in additional **compromised Trivy Docker images**, extending the malware distribution path through **Docker Hub**. The newly identified tags **0....
TeamPCP infostealer in compromised Trivy Docker Hub images
Malware ActivityAbout this happening: **TeamPCP infostealer** was found in additional **compromised Trivy Docker images**, extending the malware distribution path through **Docker Hub**. The newly identified tags **0....
TeamPCP cloud-native exploitation campaign
Campaign
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...
TeamPCP cloud-native exploitation campaign
CampaignAbout this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...
Latest development: 23.03.2026 10:31
Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.
Timeline
-
17.12.2025 23:48 2 articles · 5mo ago
Malicious Docker Hub image created for SBRMiner-MULTI delivery
Technical Analysis UpdateThe Docker Hub image yenik65958/secret was created on October 29 with an embedded SBRMiner-MULTI cryptominer and a startup script that launched the miner automatically when the container started, establishing the delivery mechanism later used against AWS workloads.
Show sources
- Amazon: Ongoing cryptomining campaign uses hacked AWS accounts — www.bleepingcomputer.com — 17.12.2025 23:48
- Amazon: Ongoing cryptomining campaign uses hacked AWS accounts — www.bleepingcomputer.com — 17.12.2025 23:48
-
17.12.2025 23:48 1 articles · 5mo ago
Crypto-mining campaign begins on AWS EC2 and ECS
Exploitation ObservedOn November 2, the threat actor used valid IAM credentials in customer accounts to access EC2 and ECS, reconnoitered EC2 service quotas and IAM permissions, and began cryptomining within 10 minutes of initial access.
Show sources
- Amazon: Ongoing cryptomining campaign uses hacked AWS accounts — www.bleepingcomputer.com — 17.12.2025 23:48
-
17.12.2025 23:48 1 articles · 5mo ago
AWS GuardDuty warns about ongoing cryptomining activity
Initial DisclosureAmazon’s AWS GuardDuty security team warned that an ongoing crypto-mining campaign was targeting EC2 and ECS with compromised IAM credentials, said the attacker did not use a vulnerability, alerted affected customers to rotate the compromised credentials, and noted that the malicious Docker Hub image had been removed.
Show sources
- Amazon: Ongoing cryptomining campaign uses hacked AWS accounts — www.bleepingcomputer.com — 17.12.2025 23:48