In March 2024, one of the most dangerous backdoors in the Linux ecosystem was discovered: the XZ-Utils backdoor. More than a year later, there are still at least 35 Linux images on Docker Hub containing it, putting users, businesses, and their data at risk.
Docker Hub is the official public repository for container images, used by developers and organizations worldwide to upload and download ready-to-use images. Many CI/CD pipelines and production environments use them directly as the base for their own containers — which means that if that base is compromised, your project will be too.
Researchers at Binarly discovered that, although the vulnerability was fixed long ago, some compromised images remain publicly available. Even worse, there are images built on top of these infected bases, inheriting the backdoor indirectly.
The vulnerability, identified as CVE-2024-3094, was hidden in the liblzma.so library of the xz-utils compression tool (versions 5.6.0 and 5.6.1). It allowed an attacker with a special private key to connect via SSH to an affected system, bypass authentication, and execute commands as root.
This backdoor was inserted by a project contributor named “Jia Tan” and ended up being distributed in official packages for Debian, Fedora, OpenSUSE, and Red Hat — making it one of the most severe supply chain security incidents in recent history.
Similar titles: The Pace of Cyberattacks: 1 Every 14 Seconds, a New Record
Binarly reported these images to Debian, one of the maintainers that still had them on Docker Hub. Surprisingly, Debian decided not to remove them, arguing that the risk is low and that it is important to keep them for historical archival purposes. According to Debian, for the attack to be possible, the container would have to have SSH installed and running, the attacker would need access to that service, and the specific private key for the backdoor.
However, at TecnetOne we agree with Binarly: leaving them available remains a risk because anyone could use them by accident or integrate them into an automated build without realizing it.
Image Response from the Debian maintainer Source: Binarly
You might also be interested in reading: Ransomware Gangs Increasingly Use Skitnet Malware
If you use Docker Hub images (especially from Debian or its derivatives), we recommend:
The continued presence of these compromised images on Docker Hub is a clear reminder that security does not end with the detection of a threat — it also involves cleaning up, removing compromised components, and educating teams about their impact.
We recommend regularly auditing your base images and avoiding the use of outdated or unverified versions so your development and production environments remain free of inherited risks.