Researchers Spot XZ Utils Backdoor in Dozens of Docker Hub Images, Fueling Supply Chain Risks

Aug 12, 2025Ravie LakshmananMalware / Container Security

New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident.

More troubling is the fact that other images have been built on top of these infected base images, effectively propagating the infection further in a transitive manner, Binarly REsearch said in a report shared with The Hacker News.

The firmware security company said it discovered a total of 35 images that ship with the backdoor. The incident once again highlights the risks faced by the software supply chain.

The XZ Utils supply chain event (CVE-2024-3094, CVSS score: 10.0) came to light in late March 2024, when Andres Freund sounded the alarm on a backdoor embedded within XZ Utils versions 5.6.0 and 5.6.1.

Further analysis of the malicious code and the broader compromise led to several startling discoveries, the first and foremost being that the backdoor could lead to unauthorized remote access and enable the execution of arbitrary payloads through SSH.

Specifically, the backdoor — placed in the liblzma.so library and used by the OpenSSH server — was designed such that it triggered when a client interacts with the infected SSH server.

By hijacking the RSA_public_decrypt function using the glibc’s IFUNC mechanism, the malicious code allowed an attacker possessing a specific private key to bypass authentication and execute root commands remotely,” Binarly explained.

The second finding was that the changes were pushed by a developer named “Jia Tan” (JiaT75), who spent almost two years contributing to the open-source project to build trust until they were given maintainer responsibilities, signaling the meticulous nature of the attack.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” Binary noted at the time. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

The latest research from the company shows that the impact of the incident continues to send aftershocks through the open-source ecosystem even after all these months.

This includes the discovery of 12 Debian Docker images that contain one of the XZ Utils backdoor, and another set of second-order images that include the compromised Debian images.

Binarly said it reported the base images to the Debian maintainers, who said they have “made an intentional choice to leave these artifacts available as a historical curiosity, especially given the following extremely unlikely (in containers/container image use cases) factors required for exploitation.”

However, the company pointed out that leaving publicly available Docker images that contain a potential network-reachable backdoor carries a significant security risk, despite the criteria required for successful exploitation – the need for network access to the infected device with the SSH service running.

“The xz-utils backdoor incident demonstrates that even short-lived malicious code can remain unnoticed in official container images for a long time, and that can propagate in the Docker ecosystem,” it added.

“The delay underscores how these artifacts may silently persist and propagate through CI pipelines and container ecosystems, reinforcing the critical need for continuous binary-level monitoring beyond simple version tracking.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!