Docker Hub has quietly become a treasure trove of live cloud keys and credentials, with more than 10,000 public container images exposing sensitive secrets from over 100 companies, including a Fortune 500 firm and a major bank.

That's according to [1]security watchers at Canadian cybersecurity firm Flare , which, in its analysis of Docker Hub images uploaded in November 2025, says it uncovered 10,456 containers leaking one or more secrets, many of which grant access to production systems, cloud services, CI/CD pipelines, and AI platforms. Almost half of the offending images contained five or more exposed values, meaning a single pull could hand an attacker enough keys to roam across critical infrastructure.

The exposed secrets aren't theoretical test tokens or placeholders: they include active credentials. The most common category detected was API keys for large language models and other AI services, with almost 4,000 model access tokens found in the wild – a sign that developers' rush to adopt AI may be outpacing their security hygiene.

[2]

Flare's findings also show how easy it is for developers to ship secrets without noticing. Docker images don't just package code – they also capture whatever sits in the build context, from .env files to hard-coded API keys. Once published, those slips become part of the image for anyone to pull, and automated scanners scoop them up long before anyone spots the mistake.

[3]

[4]

What's more, a significant chunk of this leakage stems from so-called "shadow IT" accounts – Docker Hub registeries owned by individual developers, contractors, or small teams outside of formal corporate governance. Because these accounts often slip outside the scope of enterprise monitoring and scanning tooling, they can host high-value credentials without triggering internal alarms.

"We identified a Fortune 500 company whose secrets were exposed through a personal public Docker Hub account – likely belonging to an employee or contractor," Flare said. "There were no visible identifiers linking the repository to the individual or to the organization, yet the container manifests contained highly sensitive credentials with access to multiple internal environments."

[5]Devs gripe about having AI shoved down their throats

[6]Docker Compose vulnerability opens door to host-level writes – patch pronto

[7]Docker Desktop bug let containers hop the fence with barely a nudge

[8]Years-old bugs in open source tool left every major cloud open to disruption

Another example in Flare's haul involved a container registry run by a senior software architect at a major national bank. The account hosted hundreds of images, several of them leaking AI API tokens, but the real shock was that more than 430 bank-linked containers were sitting wide open with no meaningful access controls. That meant everything from personal experiments to potential production components were effectively published to the internet, offering attackers a ready-made path into one of the country's most sensitive financial environments.

Even when developers realize they've exposed a secret and remove it from the image or manifest, the underlying credential is rarely revoked. Flare notes that in about 75 percent of cases where a secret was deleted from a published image, the key or token itself remained active, meaning anyone who scooped it up during the exposure window could still use it.

[9]

To stem the tide, Flare is urging developers to stop baking secrets into images at build time, and to use dedicated secrets management tools and vaults, ephemeral credentials, and automated scanning before pushing any artifact to public registries. Without such shifts, the next high-profile breach might not come from a zero-day exploit, but from an innocuous Docker pull. ®

Get our [10]Tech Resources



[1] https://flare.io/learn/resources/docker-hub-secrets-exposed/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTr4pjnNocGx8l5NdhcowwAAAMI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTr4pjnNocGx8l5NdhcowwAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTr4pjnNocGx8l5NdhcowwAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2025/11/19/ai_force_feeding/

[6] https://www.theregister.com/2025/10/30/docker_compose_desktop_flaws/

[7] https://www.theregister.com/2025/08/26/docker_desktop_bug/

[8] https://www.theregister.com/2025/11/24/fluent_bit_cves/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTr4pjnNocGx8l5NdhcowwAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[10] https://whitepapers.theregister.com/