Redazione RHC : 14 August 2025 09:41
Analysts at Binarly have found at least 35 images on Docker Hub still infected with a backdoor that penetrated xz Utils last year. Researchers warned that this could potentially put users, organizations, and their data at risk.
Binarly explains that many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub, using them as the basis for their containers. If these images are compromised, every new build will inherit the vulnerability or malicious code.
Recall that a backdoor in the popular xz Utils package was accidentally discovered in 2024, and the incident received a lot of attention. As a result, the issue was assigned the CVE-2024-3094 identifier and scored 10 out of 10 possible points on the CVSS scale.
Because xz Utils and its library liblzma are very popular and included with most Linux distributions (and are also used by many Linux and macOS applications), the discovery of the malware sparked an outcry across the open source community.
An investigation conducted last year revealed that the backdoor operation was carefully planned and lasted several years; the attackers had planned the attack for a long time and had earned the trust of the xz maintainer. Utils, Lasse Collin (aka Larhzu).
The backdoor intercepted and redirected SSH RSA key decryption operations (the RSA_public_decrypt function) to OpenSSH via the glibc library’s IFUNC mechanism. As a result, if an attacker with a special private key connected via SSH to an infected system, they were able to bypass authentication and execute commands remotely with root privileges.
Because the malware was eventually distributed in official Linux distribution packages (such as Debian, Fedora, OpenSUSE, and Red Hat), the xz Utils infection was one of the most serious compromises of the past year.
As Binarly reported this week, supply chain disruptions caused by the xz Utils infection are ongoing, with dozens of infected images still present on Docker Hub.
“We discovered that some of these compromised images [from xz Utils] are still publicly available on Docker Hub. What’s worse, other images have been built on top of these infected base images, resulting in cascading infections,” the researchers said.
In total, the experts found 35 such images still available for download. At the same time, the analysts emphasize that this number only partially reflects the true extent of the problem, as they have not performed a full scan of the platform.
Redazione