Safeguard
Container Security

Docker Hub malicious image detection

Docker Hub's open upload model has enabled real cryptojacking and phishing campaigns — here's how attackers hide malware in images and how to detect them.

Vikram Iyer
Cloud Security Engineer
7 min read

Docker Hub hosts more than 15 million public repositories, and only a small fraction carry the "Official Image" or "Verified Publisher" badge. Everything else — the vast majority of what docker pull actually returns — is uploaded by anonymous accounts with no review process. That gap has been exploited repeatedly: in May 2018, Kromtech Security Center identified 17 Docker Hub images, published under the account "docker123321," that had been pulled more than five million times while quietly mining Monero, netting the operator an estimated $90,000. Six years later, JFrog security researchers scanning Docker Hub at scale found that roughly one in five repositories they examined contained no real image at all — just metadata pages engineered to redirect visitors to malware and phishing sites. Malicious images aren't an edge case on Docker Hub; they're a persistent, evolving supply chain risk that most container scanners never look at closely enough to catch.

How many malicious images are actually on Docker Hub?

Independent research consistently puts the number in the thousands, and the problem has shifted from one-off backdoored images to industrialized campaigns. JFrog's 2024 analysis of Docker Hub's public repositories found that a large share of the images it crawled had no functional container content whatsoever — they were "imageless" repos whose README pages and tags existed purely to funnel visitors to phishing kits, cracked-software lures, or malware droppers, organized into distinct, trackable campaigns rather than isolated uploads. Sysdig's Threat Research Team has separately documented cryptojacking images that stayed live on Docker Hub for months, racking up tens of thousands of pulls before takedown, because nothing in the standard docker pull workflow checks image behavior before it runs. The common thread across every study is the same: Docker Hub's open, no-review upload model means malicious content isn't a rare anomaly, it's a standing category of the catalog that scales with the platform's popularity.

How do attackers get malware into Docker Hub in the first place?

Attackers get malicious images onto Docker Hub the same way legitimate ones get there — by uploading them — because Docker Hub does not review image contents before publishing. The most common vector is typosquatting: publishing ngnix, nodejs-official, or python3-slim alongside the real nginx, node, and python images to catch developers who mistype a docker pull command or copy a Dockerfile FROM line from an untrusted blog post or Stack Overflow answer. A second vector is base-image poisoning, where an attacker compromises or forks a moderately popular community image, adds a cryptominer or reverse shell to the build, and republishes it under a similar name with inflated star counts or fake documentation to look credible. A third, increasingly common vector documented by JFrog and Sysdig is bulk account creation: attackers spin up hundreds of throwaway Docker Hub accounts to publish thousands of near-identical repositories, betting that even a low click-through rate across a large volume produces a steady stream of victims.

What did the 2018 Kromtech cryptojacking campaign actually look like?

The docker123321 campaign hid a Monero miner inside the container's ENTRYPOINT, so the malicious code executed automatically the moment a victim ran docker run — no separate exploit step required. Kromtech's researchers found that several of the 17 images were named to look like ordinary utility images (including variants referencing Redis and other common services), which meant they showed up in search results and copy-pasted docker run commands next to legitimate tooling. Because the mining process ran inside the container as a background task, it didn't interrupt whatever primary workload a developer thought they were launching, letting the images accumulate pulls undetected for over a year before Kromtech's disclosure led Docker to remove them. The financial outcome — roughly $90,000 in Monero mined off victims' own compute — is a useful baseline for why "it's just a container, what's the worst that happens" is the wrong mental model for unvetted Docker Hub pulls.

How fast do attackers find and exploit exposed or newly published containers?

Fast enough that manual review cycles are not a viable defense: Aqua Security's Team Nautilus has documented honeypot Docker environments being discovered and attacked within hours of being exposed to the internet, with automated scanning bots probing for misconfigured Docker APIs and pulling attacker-controlled images almost immediately after a target responds. Aqua's Cloud Native Threat Reports from 2021 and 2023 both describe attackers using pre-built malicious images specifically designed to be pulled onto compromised or misconfigured hosts within minutes of discovery, turning a single exposed Docker daemon into a cryptomining or botnet node before an on-call engineer would typically even see an alert. The practical implication for any team pulling third-party images is that detection has to happen at pull time or build time — waiting for runtime anomaly detection to notice unusual CPU usage or outbound connections means the attacker has already had hours of head start.

What techniques let malicious Docker Hub images evade basic scanning?

Malicious images evade signature-based scanners primarily by keeping the malicious logic out of the static filesystem layers that scanners inspect and putting it in behavior that only executes at runtime. Multi-stage Dockerfiles let an attacker build a clean-looking final image while discarding the build stage that contained suspicious code, so a layer-by-layer diff of the shipped image looks unremarkable. Delayed activation is another common pattern documented by Sysdig: the entrypoint script fetches a second-stage payload from a remote server only after the container has been running for a period of time, or only when it detects it's not inside a sandbox, specifically to defeat automated image analysis tools that spin up a container for thirty seconds and check for immediate red flags. Attackers also lean on "living-off-the-land" binaries already present in common base images — curl, bash, python — so the malicious behavior is a shell command embedded in an entrypoint script rather than a separately flagged binary, which lets it slip past scanners that only check for known malware hashes.

How can security teams detect malicious Docker Hub images before they reach production?

Reliable detection combines provenance verification, static and behavioral image analysis, and dependency-level visibility, rather than relying on any single check. Verifying image signatures and publisher identity (via Sigstore/cosign or Docker Content Trust) filters out unverified anonymous uploads before they're even pulled, which alone would have blocked most of the typosquatted images documented in the JFrog research. Static scanning needs to go past CVE lookups and inspect entrypoint scripts, embedded binaries, and unusual outbound network calls, since — as the 2018 Kromtech case and Sysdig's later findings show — the malicious behavior is often in a script, not a known-bad package version. Generating a full software bill of materials (SBOM) for every pulled image, and diffing it against what the image claims to contain, surfaces the "imageless" and metadata-mismatch patterns that JFrog flagged across its 2024 Docker Hub campaigns. None of this is optional for teams pulling third-party base images at any scale — the volume of malicious and spam repositories on Docker Hub means manual vetting simply doesn't keep pace with how fast new images appear.

How Safeguard Helps

Safeguard scans every container image pulled into your build and runtime environments, generating and ingesting SBOMs to catch mismatches between what a Docker Hub image claims to contain and what it actually ships — the exact pattern behind the imageless and metadata-spoofed repos JFrog documented. Griffin AI, Safeguard's detection engine, analyzes entrypoint scripts, embedded binaries, and build stages for the delayed-activation and living-off-the-land patterns that let cryptomining and phishing-redirect images evade signature-based scanners. Reachability analysis then tells your team which flagged issues in a pulled image are actually exercised by your workload versus sitting in unused code paths, cutting through alert noise so a real threat like a hidden Monero miner doesn't get lost in a pile of low-severity CVEs. When Safeguard finds a vulnerable or suspicious base image reference in your Dockerfiles, it opens an auto-fix pull request swapping in a verified, pinned alternative, so remediation doesn't wait on a manual triage queue. Together, these capabilities move malicious-image detection from "after it's already running in production" to "before it's ever pulled."

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.