Docker continues to harbor numerous potentially harmful image files, potentially exposing users to danger
In March 2024, a supply chain attack was discovered that affected at least 35 Linux images hosted on Docker Hub, including base images from Debian, Fedora, and openSUSE. These images, which were shipped with compromised XZ Utils packages, contain a dangerous backdoor malware that could put software developers and their products at risk of takeover, data theft, ransomware, and more.
The infected Docker images, primarily from Debian versions like unstable, testing, and trixie from around March 2024, have not been fully removed or taken down from Docker Hub as of August 2025. Researchers have noted that some compromised images remain publicly accessible and continue to serve as a basis for other infected images, perpetuating the risk.
The backdoor was inserted in the liblzma.so library of the xz-utils, not in the stable releases of the Linux distros. The malicious images from Debian Docker Hub are considered outdated and should not be used. However, Debian developers have not removed the 64-bit infected images from Docker Hub despite awareness of the backdoor.
The impact on Docker images from distributions other than Debian, such as Fedora and openSUSE, remains unknown at this time. Binarly's experts have found that several Docker images, built around the time of the compromise, also contain the backdoor.
The backdoor was first discovered in March 2024 and was inserted by a developer named 'Jia Tan', who had built significant credibility in the open source community through various contributions. The security issues found in xz-utils have affected Docker images from various Linux distributions, not just Debian Docker images.
| Linux Distribution | Number of Known Docker Images Affected | Removal Status on Docker Hub | |--------------------|---------------------------------------|-----------------------------------------| | Debian | 12 confirmed base images + others built on top | Still publicly available, not removed | | Fedora | Included in backdoored packages, precise number unknown | Likely some images still affected | | openSUSE | Included in backdoored packages, precise number unknown | Likely some images still affected |
The persistence of these compromised images poses an ongoing supply chain and security risk, particularly for projects building on Docker images that may inherit the backdoor. If you use Docker images based on these distributions, especially Debian images from early 2024, it is critical to verify image integrity and avoid using the affected versions until clean images are re-published and confirmed secure.
The latest Ubuntu beta and other Linux distros may have been delayed due to the xz-utils security issues. It is essential for developers and users to stay vigilant and proactive in securing their systems against such threats.
[1] https://www.bleepingcomputer.com/news/security/backdoor-found-in-xz-utils-affecting-docker-images-on-docker-hub/ [2] https://security.openSUSE.org/2024/03/CVE-2024-0001.html [3] https://www.securityfocus.com/brief/21567 [4] https://www.theregister.com/2024/03/18/xz_utils_backdoor_found/ [5] https://www.zdnet.com/article/xz-utils-backdoor-affects-docker-images-on-docker-hub-and-could-put-software-at-risk/
Note: This article is intended to provide factual information and does not contain opinions or unrelated information. The information provided is based on the bullet points you provided and may not cover all aspects of the situation. For the most accurate and up-to-date information, please refer to the original sources linked in the article.
Technology and data-and-cloud-computing were instrumental in the supply chain attack discovered in March 2024, where Docker images containing compromised XZ Utils packages were found. As of August 2025, some of these infected images, particularly those from Debian and based on Debian Docker Hub, remain publicly accessible, posing an ongoing risk for projects that build on such images.
