The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.
[…]
Many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub as base layers for their own containers, and if those images are compromised, the new build inherits the flaw or malicious code.
Debian says they intentionally opted not to remove these images from Docker Hub and to leave them as historical artifacts, telling users to only use up-to-date images and not old ones.
The maintainers made this decision as they believe the requirements for exploitation are unlikely, such as requiring sshd installed and running on the container, the attacker having network access to the SSH service on that container, and using a private key that matches the backdoor’s trigger logic.
Idk that seems pretty reasonable to me. I think I’ve eojly ever needed to enable ssh on a container once
