In March last year, an insidious software supply chain compromise was revealed. The discovery of a backdoor in XZ Utils shook the cybersecurity world, thanks to its technical sophistication and for the bad actor’s methodical patience.
A developer known as “Jia Tan” had spent two years earning trust in the XZ Utils project. The code they contributed was clean. Until it wasn’t.
Hidden inside liblzma.so sat a backdoor. It came to life when a client connected to an infected SSH server. It hooked into critical cryptographic functions: RSA_public_decrypt, RSA_get0_key, and EVP_PKEY_set1_RSA, granting the attacker silent access.
Debian, Fedora, and OpenSUSE shipped the poisoned packages. This was a supply chain compromise on a scale that left little untouched. Within a day, Binarly released XZ.fail, a free tool to detect malicious IFUNC resolvers.
The story should have ended there. It hasn’t.
Old Poison in New Bottles
Binarly has found the backdoor again. This time in Docker images.
At least 12 Debian-based images on Docker Hub still carry the malicious code. More than 35 in total show signs of infection. Some of these images were used to build others. The infection spreads silently through “second-order” images, and likely beyond.
Binarly’s scan covered only a fraction of Docker Hub. They focused on Debian because it keeps historical image data. The extent of infections in Fedora, OpenSUSE, and other distributions remains unknown.
The findings come from a 15-terabyte dataset of Docker images. Binarly used it to sharpen its detection tools, searching for the same ELF file anomalies and IFUNC hooks seen in the original compromise.
They found them.
A Chain That Keeps Building
Second-order infections mean the risk is not frozen in time. Each compromised base image can spawn new images. Those, in turn, can be reused again. Third-order, fourth-order, and so on.
Tracking this is hard. Docker Hub holds almost 12 million repositories. Many have hundreds of images. There is no direct way to trace every descendant. Binarly resorted to manual mapping and targeted searches.
Some infected images are outdated. Others are tagged as the latest build. That means developers (or automated systems) could still be pulling them into active use.
Warnings Unheeded
Binarly notified Debian maintainers and asked for removal of the images. They remain online.
The persistence of this backdoor is a warning. Supply chain compromises do not vanish when patches land. Copies survive. They are cached, forked, republished. They wait for someone to pull them into a live environment.
The XZ Utils backdoor was a lesson in patience and precision from an attacker. Its lingering presence in Docker images is a lesson in how long a breach can echo.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.