kong-ingress-controller
Kong Ingress Controller image backdoored with cryptominer
An attacker compromised a Kong DockerHub Personal Access Token (PAT), likely via a CI/CD pipeline exploit ("Pwn Request" targeting an old branch). Using this token, they uploaded a malicious version of the official Kong Ingress Controller container image (v3.4.0) directly to DockerHub. This malicious image contained an XMRig cryptominer configured to mine Monero using the resources of clusters that pulled and ran the compromised image.
- Date
- 2024-12-23 to 2025-01-02
- Category
- Open Source
- Target Surface
- Build/CI
- Insertion Phase
- CI/CD
- Impact
- Financial Exploitation
- Cause
- Compromised Account/Credentials
What Was Affected
Package
kong-ingress-controller
LanguageBinary
ComponentApplication
Artifact typeOCI image
Domain typecontainer host
Domain
docker.io
Compromised Versions
- 3.4.0
Incident Context
- Motive
- Financial Gain
- Attribution
- Individual Hacker
- Observed Duration
- 10 days
Evidence
Compromised Artifacts
- docker://docker.io/kong/kubernetes-ingress-controller:3.4.0@sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43
- hub.docker.com/layers/kong/kubernetes-ingress-controller/3.4.0/images/sha256-a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43sha256:4e3bbca1ba0bf9f0d53c8b1cc07bf92d9b1d41b3f066fdf4aec7cdd8c21ca3b7sha256:e164e6e21c661679c556d16638300c25e16d86bb2d567ad66b4181f1a65f4788sha256:56ff46874f0536c289ff38af4cb308af8f7e6156e3f9d9227b71004d2042a4e6
External References
Source Data
Source record: oss/kong-ingress-controller/meta.yaml