Nearly half of the exposed images contained five or more secrets each. Flare's November 2025 scan of Docker Hub found 10,456 container images with exposed keys across 205 distinct namespaces. After filtering for high and critical severity findings, researchers successfully identified 101 companies behind the leaks. The exposed credentials ranged from AI model access tokens to cloud infrastructure keys and database passwords.
"This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a 'magic packet,'" security researcher Théo Letailleur said. The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 as the starting point, following which a malicious Docker Hub image named "kvlnt/vv" (now removed) was deployed on several Kubernetes clusters.
Docker is launching a new subscription service for its Hardened Images catalog. The secure container images are designed to help organizations achieve near-zero CVEs without the high costs that were previously associated with this. With this launch, Docker is committed to democratizing container security. Every developer often starts their journey at Docker Hub. According to the company, this first step should be secure by default, without a premium price tag.