Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Cloud Security

Docker Hub Users Targeted With Imageless, Malicious Repositories

JFrog raises an alarm after finding three large-scale malware campaigns targeting Docker Hub with imageless repositories.

Security researchers at JFrog have identified three large-scale campaigns targeting Docker Hub with repositories that did not contain container images but featured malicious metadata instead.

A platform for the development, distribution, and collaboration on Docker images, Docker Hub hosts more than 15 million repositories and is one of the most popular container platforms for developers worldwide.

Docker Hub functions as a community platform, where users can upload their container images, but can also find images that could be useful to them and can comment and rate them, to boost their visibility.

However, according to a warning from JFrog, approximately 3.2 million of the Docker Hub repositories were found to host malicious content ranging from simple spam promoting pirated content, to malware and phishing sites.

The recently identified malicious campaigns involved millions of imageless repositories uploaded to Docker Hub, the cloud-based registry service for hosting and distributing container images.

The JFrog researchers identified more than 4.6 million imageless repositories on Docker Hub, with roughly 2.9 million of them being used as part of three malicious campaigns. All the malicious and unwanted repositories have been removed.

Analyzing the activity on Docker Hub over the past three years, JFrog discovered several spikes in daily repository creation and discovered that thousands of imageless repositories were being created within short periods of time using similar patterns.

While other campaigns ran at slowed paces, adding only tens of new repositories per day, all were found to be malicious.

Advertisement. Scroll to continue reading.

Without a container image to be run in Docker or Kubernetes, these repositories are unusable, as they cannot be pulled and run as docker images, but were meant to promote malicious content through the attached documentation and metadata.

One of the campaigns featured repositories containing automatically generated texts enticing users to download pirated content or cheats for video games and providing a link to the alleged advertised software.

JFrog identified two instances of this campaign, both using the same malicious payload, a trojan that can harvest system and OS information and drop executables on the system, and which appears to be used as part of an adware campaign or other monetization schemes.

The second campaign, involving nearly a million imageless repositories created in 2021, offered free eBook downloads redirecting users to a page where they were asked to provide their credit card information.

As part of the third campaign, the threat actor created a thousand repositories per day for three years. Seemingly harmless, the repositories featured the same name, and were likely created as a stress test before launching the truly malicious campaigns.

Related: AI Hallucinated Packages Fool Unsuspecting Developers

Related: Suspicious NuGet Package Harvesting Information From Industrial Systems

Related: Hundreds Download Malicious NPM Package Capable of Delivering Rootkit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights