Security researchers at JFrog have identified three large-scale campaigns targeting Docker Hub with repositories that did not contain container images but featured malicious metadata instead.
A platform for the development, distribution, and collaboration on Docker images, Docker Hub hosts more than 15 million repositories and is one of the most popular container platforms for developers worldwide.
Docker Hub functions as a community platform, where users can upload their container images, but can also find images that could be useful to them and can comment and rate them, to boost their visibility.
However, according to a warning from JFrog, approximately 3.2 million of the Docker Hub repositories were found to host malicious content ranging from simple spam promoting pirated content, to malware and phishing sites.
The recently identified malicious campaigns involved millions of imageless repositories uploaded to Docker Hub, the cloud-based registry service for hosting and distributing container images.
The JFrog researchers identified more than 4.6 million imageless repositories on Docker Hub, with roughly 2.9 million of them being used as part of three malicious campaigns. All the malicious and unwanted repositories have been removed.
Analyzing the activity on Docker Hub over the past three years, JFrog discovered several spikes in daily repository creation and discovered that thousands of imageless repositories were being created within short periods of time using similar patterns.
While other campaigns ran at slowed paces, adding only tens of new repositories per day, all were found to be malicious.
Without a container image to be run in Docker or Kubernetes, these repositories are unusable, as they cannot be pulled and run as docker images, but were meant to promote malicious content through the attached documentation and metadata.
One of the campaigns featured repositories containing automatically generated texts enticing users to download pirated content or cheats for video games and providing a link to the alleged advertised software.
JFrog identified two instances of this campaign, both using the same malicious payload, a trojan that can harvest system and OS information and drop executables on the system, and which appears to be used as part of an adware campaign or other monetization schemes.
The second campaign, involving nearly a million imageless repositories created in 2021, offered free eBook downloads redirecting users to a page where they were asked to provide their credit card information.
As part of the third campaign, the threat actor created a thousand repositories per day for three years. Seemingly harmless, the repositories featured the same name, and were likely created as a stress test before launching the truly malicious campaigns.
Related: AI Hallucinated Packages Fool Unsuspecting Developers
Related: Suspicious NuGet Package Harvesting Information From Industrial Systems
Related: Hundreds Download Malicious NPM Package Capable of Delivering Rootkit
