Aug 12, 2025Ravie LakshmananMalware / Container Safety
New analysis has uncovered Docker photos on Docker Hub that comprise the notorious XZ Utils backdoor, greater than a yr after the invention of the incident.
Extra troubling is the truth that different photos have been constructed on high of those contaminated base photos, successfully propagating the an infection additional in a transitive method, Binarly REsearch stated in a report shared with The Hacker Information.
The firmware safety firm stated it found a complete of 35 photos that ship with the backdoor. The incident as soon as once more highlights the dangers confronted by the software program provide chain.
The XZ Utils provide chain occasion (CVE-2024-3094, CVSS rating: 10.0) got here to mild in late March 2024, when Andres Freund sounded the alarm on a backdoor embedded inside XZ Utils variations 5.6.0 and 5.6.1.
Additional evaluation of the malicious code and the broader compromise led to a number of startling discoveries, the at the beginning being that the backdoor might result in unauthorized distant entry and allow the execution of arbitrary payloads via SSH.
Particularly, the backdoor — positioned within the liblzma.so library and utilized by the OpenSSH server — was designed such that it triggered when a shopper interacts with the contaminated SSH server.
By hijacking the RSA_public_decrypt perform utilizing the glibc’s IFUNC mechanism, the malicious code allowed an attacker possessing a selected non-public key to bypass authentication and execute root instructions remotely,” Binarly defined.
The second discovering was that the modifications had been pushed by a developer named “Jia Tan” (JiaT75), who spent nearly two years contributing to the open-source undertaking to construct belief till they got maintainer tasks, signaling the meticulous nature of the assault.
“That is clearly a really advanced state-sponsored operation with spectacular sophistication and multi-year planning,” Binary famous on the time. “Such a fancy and professionally designed complete implantation framework will not be developed for a one-shot operation.”
The most recent analysis from the corporate exhibits that the influence of the incident continues to ship aftershocks via the open-source ecosystem even in spite of everything these months.
This consists of the invention of 12 Debian Docker photos that comprise one of many XZ Utils backdoor, and one other set of second-order photos that embody the compromised Debian photos.
Binarly stated it reported the bottom photos to the Debian maintainers, who stated they’ve “made an intentional selection to depart these artifacts out there as a historic curiosity, particularly given the next extraordinarily unlikely (in containers/container picture use instances) components required for exploitation.”
Nonetheless, the corporate identified that leaving publicly out there Docker photos that comprise a possible network-reachable backdoor carries a big safety danger, regardless of the factors required for profitable exploitation – the necessity for community entry to the contaminated gadget with the SSH service working.
“The xz-utils backdoor incident demonstrates that even short-lived malicious code can stay unnoticed in official container photos for a very long time, and that may propagate within the Docker ecosystem,” it added.
“The delay underscores how these artifacts might silently persist and propagate via CI pipelines and container ecosystems, reinforcing the vital want for steady binary-level monitoring past easy model monitoring.”
