Cryptojacking Alert: JINX-0132 Targets DevOps Tools

Targeting the Heart of Development

Security researchers at Wiz have uncovered a widespread attack dubbed JINX-0132, representing a calculated shift in how threat actors target development environments. Unlike traditional attacks on end-users, this operation specifically targets the core technologies of DevOps workflows: HashiCorp Nomad, Consul, Gitea, and Docker API servers.

The campaign is notable for its stealth. Instead of custom malware, the attackers download legitimate tools (like standard releases of XMRig) directly from public GitHub repositories. By blending in with legitimate traffic and using trusted sources, they operate under the radar of many modern security tools.

HashiCorp Nomad: A New Attack Vector

The most significant discovery is the first documented exploitation of HashiCorp Nomad as an attack vector. Attackers exploit Nomad’s job queue feature—often insecure by default—to execute malicious jobs. This leverages the platform’s native capabilities, making the mining activity appear as a legitimate workload management process.

The campaign also targets established vectors with refined techniques:

Consul: Hijacking health check mechanisms to execute bash commands and download payloads.
Docker: Creating containers that launch cryptocurrency miner images.
Gitea: Exploiting known vulnerabilities like CVE-2020-14144 in outdated installations.

Scale of Risk and Defense Strategies

With 25% of cloud environments running these technologies, the attack surface is significant. The key to defense lies in proper configuration and security best practices often overlooked during deployment:

For Nomad: Implement Access Control Lists (ACLs) and proper authentication to prevent unauthorized job submissions.
For Consul: Disable script checks and restrict the HTTP API to bind only to localhost.
General: Ensure Docker APIs are not exposed to the internet without authentication and keep tools like Gitea fully updated.

The JINX-0132 campaign is a wake-up call: organizations must prioritize security-by-default configurations to protect against these intrusions without compromising the agility of their DevOps pipelines.

Source: DevOps Tools Under Siege - DevOps.com

New Cryptojacking campaign exploits DevOps Tools

Threat actor JINX-0132 targets misconfigurations in Nomad, Consul, and Docker to deploy mining malware.

A sophisticated cryptojacking campaign targets DevOps infrastructure. Learn how JINX-0132 exploits HashiCorp Nomad and how to secure your environment.

Targeting the Heart of Development

HashiCorp Nomad: A New Attack Vector

Scale of Risk and Defense Strategies

World-class Infrastructure Support

We combine industry experience, expert support, reliable infrastructure, and a comprehensive set of tools to help your team deliver software faster and more reliably.