13.08.2025
2 min
546
Cybersecurity experts have found more than 35 Docker images on Docker Hub infected with the notorious XZ Utils backdoor, which continues to spread even a year after the incident, posing risks to software supply chains.
Binarly said it found infected base Docker images that other projects were built on, thus spreading the infection transitively. Among them are 12 official Debian images and a number of derivatives that contain malicious code in the *liblzma.so* library. The backdoor uses the IFUNC mechanism in glibc, intercepts the *RSA\_public\_decrypt* function, and allows an attacker with a private key to bypass authentication and execute commands as root via SSH. The discovered artifacts are still publicly available, although their exploitation requires specific conditions, including network access to the infected device with SSH service enabled.
The XZ Utils incident (CVE-2024-3094, CVSS 10.0) became known in March 2024, when Andres Freund reported a backdoor in versions 5.6.0 and 5.6.1. It turned out that the changes were made by a developer under the nickname JiaT75, who spent almost two years building trust in the project before obtaining maintainer rights. Experts consider the attack to be sophisticated, planned, and likely state-sponsored.
Binarly emphasizes that even short-lived malicious code can remain undetected in container images for years, spreading through CI/CD pipelines and the Docker ecosystem. This highlights the need for continuous monitoring at the binary level, not just version tracking.
