[GH-ISSUE #576] ClamAV detected Coinminer in docker image #438

New issue

Closed

opened 2026-05-07 00:24:07 +02:00 by BreizhHardware · 5 comments

BreizhHardware commented

2026-05-07 00:24:07 +02:00

Owner

Originally created by @forgedbyte on GitHub (Jan 8, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/576

Was scanning the other day and got the warning on my containerd folder. Sure enough I can reproduce it by saving the docker image.

shawn@SHAWN-DESKTOP:~$ docker pull docker.io/binwiederhier/ntfy
Using default tag: latest
latest: Pulling from binwiederhier/ntfy
Digest: sha256:d13fda9b2741de857c3c9be2f89b24c514922da7aa3da060580640865beffdc1
Status: Image is up to date for binwiederhier/ntfy:latest
docker.io/binwiederhier/ntfy:latest
shawn@SHAWN-DESKTOP:~$ docker save -o ntfy.tar docker.io/binwiederhier/ntfy@sha256:d13fda9b2741de857c3c9be2f89b24c514922da7aa3da060580640865beffdc1
shawn@SHAWN-DESKTOP:~$ mkdir ntfy
shawn@SHAWN-DESKTOP:~$ tar -xf ntfy.tar -C ntfy
shawn@SHAWN-DESKTOP:~$ clamscan -r -i ntfy
/home/shawn/ntfy/785c9d282366f58ab6d7a65b79e22192780e823a0455bddbbf84facdc4732370/layer.tar: Unix.Packed.Coinminer-6856324-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8647316
Engine version: 0.103.6
Scanned directories: 3
Scanned files: 8
Infected files: 1
Data scanned: 34.96 MB
Data read: 26.05 MB (ratio 1.34:1)
Time: 16.469 sec (0 m 16 s)
Start Date: 2023:01:09 03:50:34
End Date:   2023:01:09 03:50:50

Originally created by @forgedbyte on GitHub (Jan 8, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/576 Was scanning the other day and got the warning on my containerd folder. Sure enough I can reproduce it by saving the docker image. ``` shawn@SHAWN-DESKTOP:~$ docker pull docker.io/binwiederhier/ntfy Using default tag: latest latest: Pulling from binwiederhier/ntfy Digest: sha256:d13fda9b2741de857c3c9be2f89b24c514922da7aa3da060580640865beffdc1 Status: Image is up to date for binwiederhier/ntfy:latest docker.io/binwiederhier/ntfy:latest shawn@SHAWN-DESKTOP:~$ docker save -o ntfy.tar docker.io/binwiederhier/ntfy@sha256:d13fda9b2741de857c3c9be2f89b24c514922da7aa3da060580640865beffdc1 shawn@SHAWN-DESKTOP:~$ mkdir ntfy shawn@SHAWN-DESKTOP:~$ tar -xf ntfy.tar -C ntfy shawn@SHAWN-DESKTOP:~$ clamscan -r -i ntfy /home/shawn/ntfy/785c9d282366f58ab6d7a65b79e22192780e823a0455bddbbf84facdc4732370/layer.tar: Unix.Packed.Coinminer-6856324-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8647316 Engine version: 0.103.6 Scanned directories: 3 Scanned files: 8 Infected files: 1 Data scanned: 34.96 MB Data read: 26.05 MB (ratio 1.34:1) Time: 16.469 sec (0 m 16 s) Start Date: 2023:01:09 03:50:34 End Date: 2023:01:09 03:50:50 ```

BreizhHardware

2026-05-07 00:24:07 +02:00

closed this issue
added the
question
label

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@MaeIsBad commented on GitHub (Jan 8, 2023):

I believe this issue is caused due to https://github.com/binwiederhier/ntfy/pull/137, which adds upx compression to the binary for the sake of reducing the container size

@MaeIsBad commented on GitHub (Jan 8, 2023): I believe this issue is caused due to https://github.com/binwiederhier/ntfy/pull/137, which adds upx compression to the binary for the sake of reducing the container size

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@binwiederhier commented on GitHub (Jan 8, 2023):

Damn, you caught me. My days of coin mining are over. 😱

No but seriously, this seems to be pretty common with upx-packed Go binaries. I had to remove the packing from the Windows binary already because of false virus flagging. It's quite annoying.

The releases are built in CI and print checksums of everything at the end. See here: https://github.com/binwiederhier/ntfy/actions/runs/3766338182/jobs/6402734758

@binwiederhier commented on GitHub (Jan 8, 2023): Damn, you caught me. My days of coin mining are over. :scream: No but seriously, this seems to be pretty common with upx-packed Go binaries. I had to remove the packing from the Windows binary already because of false virus flagging. It's quite annoying. The releases are built in CI and print checksums of everything at the end. See here: https://github.com/binwiederhier/ntfy/actions/runs/3766338182/jobs/6402734758

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@forgedbyte commented on GitHub (Jan 8, 2023):

How about publishing a "fat" image without the compression on a separate tag?

@forgedbyte commented on GitHub (Jan 8, 2023): How about publishing a "fat" image without the compression on a separate tag?

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@binwiederhier commented on GitHub (Jan 8, 2023):

If anything, I'll just remove the upx step. It's been more painful than helpful anyway. And we already have too many published assets.

@binwiederhier commented on GitHub (Jan 8, 2023): If anything, I'll just remove the upx step. It's been more painful than helpful anyway. And we already have too many published assets.

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@binwiederhier commented on GitHub (Jan 12, 2023):

Done in github.com/binwiederhier/ntfy@1fd166d5c7

@binwiederhier commented on GitHub (Jan 12, 2023): Done in https://github.com/binwiederhier/ntfy/commit/1fd166d5c795c50f4f200716b4170c8d3affdca6