alibabacloud-ecs-sec-inspect
Audited by Socket on Jun 23, 2026
5 alerts found:
Securityx2Anomalyx2Obfuscated FileThe manifest configures a legitimate-sounding but high-impact one-time node security scanning job. It grants deep host visibility (hostPID/hostNetwork), elevated inspection capabilities, mounts the host root filesystem, and exposes Docker/containerd runtime sockets, and it configures an HTTP reporting endpoint. While the YAML shows no explicit malicious logic, the combination creates a meaningful dual-use attack surface: if the referenced image or its config were compromised, it could collect sensitive host/runtime data and potentially report it externally or interact with the runtime. Key mitigations include pinning the image by digest/signature, enforcing strong network egress controls and TLS, minimizing capabilities, and restricting runtime socket access/RBAC for the scanner service account.
This YAML is a privileged, configuration-driven host telemetry/inspection setup that reads a wide range of local system and security-sensitive artifacts (including /etc/shadow, sudoers, sshd_config, and authentication logs) and can run a systemctl command to enumerate services. The fragment contains no explicit exfiltration endpoints, credentials, or obfuscation, so direct malware is not proven from this snippet alone. The dominant risk is privacy/credential-adjacent data exposure and potential misuse depending on the consuming application’s handling and transport of collected data.
This file is a non-executable manifest that points to base64-encoded indicator datasets. While it contains no direct malicious behavior, the inclusion of highly suspicious tags (C2/mining/webshell/backdoor/malware) and base64-encoded indicator lists makes the overall package/data set potentially dangerous and warrants review of the referenced .b64 contents and the consuming code paths to determine whether it is used defensively (IOC matching/blocking) or offensively (targeting/exploitation/infra abuse).