Sysdig, which develops an open system analysis tool of the same name, has published the results of a study of more than 250 Linux container images hosted in the Docker Hub directory without any sign of a verified or official image. As a result, 1652 images were classified as malicious.
In 608 images, components for cryptocurrency mining were identified, in 288 access tokens were left (in 155 SSH keys, in 146 tokens to AWS, in 134 tokens to GitHub, in 24 tokens to the NPM API), in 266 there were means to bypass firewalls through proxies, 134 featured recently registered domains, 129 included accesses to sites recognized as malicious.
Some images with cryptocurrency miners used names that included the names of well-known open source projects such as ubuntu, golang, joomla, liferay and drupal, or used the type squatting method (assigning similar names that differ in individual characters) to attract users. The most popular malware images are vibersastra/ubuntu and vibersastra/golang, which have been downloaded more than 10 and 6900 times, respectively.
Source: opennet.ru