Ddos 
The backdoor vulnerability in XZ-Utils first came to light in March 2024, and had it not been discovered in time, it could have posed a grave security threat to the entire technology sector. Yet, even a year later, the repercussions of the XZ backdoor continue to linger.
Docker Hub, the official public container image registry operated by Docker, enables developers and enterprises to upload, download, and share pre-built images with the communityβimages that other users can deploy directly.
Countless CI/CD pipelines, developers, and production environments pull base layer images directly from Docker Hub. If such images are tainted with backdoor code, any subsequent builds based on them will inherit the malicious payload.
Researchers at cybersecurity firm Binarly, after conducting scans, discovered that multiple Docker Hub images still contain the XZ backdoor. They cautioned that if developers use these compromised images as the foundation for new projects, the backdoor could spread further.
Among the affected images is Debian Linux. In response to the researchersβ findings, the Debian project explained that they have deliberately retained these compromised images to serve as a warning, urging users to upgrade to newer versions.
The scan revealed that Debian has not removed the 64-bit images containing the XZ backdoor from Docker Hub. At least 35 such images remain available for downloadβposing a risk to any user who retrieves an outdated Debian version.
Debian maintainers openly acknowledged their decision to keep these backdoored images as βhistorical artifactsβ to caution users against employing anything but the latest builds. They argued that the likelihood of the XZ backdoor being exploited is extremely low, as exploitation would require the container to have sshd installed and running, the attacker to have network access to the containerβs SSH service, and possession of a private key matching the backdoorβs trigger logic.
Binarly, however, strongly disagrees. The company contends that merely leaving such images publicly accessible introduces enormous risks, including accidental pulls or unintentional integration into automated builds. In their view, the only prudent course of action is to remove the compromised images entirely.
Related Posts:
- CVE-2025-31115: XZ Utils Hit Again with High-Severity Multithreaded Decoder Bug
- CVE-2024-3094 (CVSS 10): Backdoor Flaw Discovered in Popular Linux Compression Tool
- DOCKER deletes 17 malicious container images
- Tor Meets Docker: Sophisticated Crypto-Mining Campaign Hijacks Misconfigured APIs
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
