Malicious Init Container Used for Reconnaissance

A pod was launched with a benign main container and a malicious init container that copied node metadata.

Find this helpful?

What Happened

Init container wrote node files (e.g., /etc/resolv.conf, cloud instance metadata) to an external bucket before terminating.

Diagnosis Steps

Root Cause

Lack of validation on init container behavior.

Fix/Workaround

• Blocked unknown container registries via policy.
• Implemented runtime security agents to inspect init behavior.

Lessons Learned

Init containers must be treated as full-fledged security risks.

How to Avoid