VDB
GCVE-110-OSM-2026-7626
GCVE-110-OSM-2026-7626
Advisory PublishedCVSS 8.8/10
This Docker Hub image ships a cryptocurrency miner that is preconfigured to a fixed mining pool and payout wallet. Anyone who pulls and runs the image begins mining Monero (XMR) to the operator's wallet using their own CPU, without consent. Knorr inspected the image configuration and unpacked its layers. The image was read but never executed. The detection rule, the attacker infrastructure, and the exact location of the malicious code appear in the payload details so the finding can be verified independently.
Payout wallet: 89TxfrUmqJJcb1V124WsUzA78Xa3UYHt7Bg8RGMhXVeZYPN8cE5CZEk58Y1m23ZMLHN7wYeJ9da5n5MXharEjrm41hSnWHL. Attacker host: raw.githubusercontent.com. Built from: github.com/develsoftware/GMinerRelease. Location of the malicious code: image ENTRYPOINT / CMD / build history. Detection rule miner-wallet-flag matched on this line: "/bin/sh -c export GMINER_COMMON="--server localhost:3339 --user 89TxfrUmqJJcb1V124WsUzA78Xa3UYHt7Bg8RGMhXVeZYPN8cE5CZEk58Y1m23ZMLHN7wYeJ9da5n5MXharEjrm41hSnWHL --pass gpu_miner"".
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sha256:fef28c64d22b375a1963ee2d0305497640cd6edc8e4ded8b4b39c5f961cf7268 (affected) | — |
References
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.