Kong says it has revoked security keys and uploaded a clean “image” after a malicious third-party compromised its DockerHub account and slipped a malicious image (or executable package to run a container) into it.
It was not immediately clear how many users adopted the bad image but several reported noting immediate excessive CPU use. The incident happened after a Kong DockerHub Personal Access Token (PAT) used to upload release images was somehow exposed shortly before Christmas.
The attacker was hardly trying to cover their tracks.
“info setup Starting controller manager. Kong does not care about security. {"v": 0, "release": "3.4.0", "repo": "https://github.com/kong/kubernetes-ingress-controller.git", "commit": "92a6761ac1c94ecd202571cbf84de860336664f3"} – A message that appeared in users’ logs.
“If you pulled Kong Ingress Controller v3.4.0 between December 22, 2024 and January 3, 2025, please remove that image from any internal registries & clusters and ensure that the remediated image is pulled (either v3.4.1, or the clean, re-tagged v3.4 versions below) and run instead” API gateway specialist Kong said in an advisory on GitHub.
“With the assistance of a third party we have completed our review of the unauthorized KIC 3.4.0 image, and have confirmed that the XMRig Miner was the sole unauthorized malicious code, and that there is no evidence of any other malicious code” Kong’s Wanny Morellato told users.
The company has shared YARA rules to check for malicious activity.
Matt Moore, CTO and co-founder of supply chain security specialist Chainguard noted: "So lucky that it was “just” a crypto miner.
"When’s DockerHub going to support federated auth? Is Kong going to start signing their releases with sigstore?"
(sigstore, first released in March 2021, includes a number of signing, verification and provenance techniques that let developers securely sign software artifacts such as release files, container images and binaries with signatures stored in a tamper-proof public log. The service is free to use and designed to help prevent what are increasingly regular and sophisticated upstream software supply chain attacks.)
sigstore creator, Chainguard's Dan Lorenc, who posted about this incident on LinkedIn, noted that "As a maintainer, any key you have is a key that you can leak. [You should] lock-down and regularly audit all systems that have access to PATs like this, or choose systems that allow OIDC-based authentication to avoid this all together. CI/CD pipelines are notoriously hard to configure securely, tools like zizmor help here.
"Signing artifacts can help even if you can't use OIDC to publish, or users pull from mirrors out of your control.As an end-user, pin images you receive from third-parties by digest and test/malware scan them before upgrading. Check signatures if they exist.These are just minor protections though, the only way to completely control your destiny on attacks like these is to build all of your own artifacts directly from source in a hardened build system. SLSA provides a great framework for this hardening."
Kong has been contacted for comment on how a DockerHub Personal Access Token (PAT) got compromised on its side and what it is doing to improve security beyond the immediate (and admittedly open and transparent) actions. The Stack will update this story when we have a response.
