JINX-0132: How Cryptojackers Hijacked DevOps Infrastructure via Nomad and Docker

In this episode, we dissect the JINX-0132 cryptojacking campaign — a real-world example of how threat actors are exploiting cloud and DevOps environments to mine cryptocurrency at scale.

We unpack how cybercriminals targeted misconfigured Docker APIs, publicly exposed HashiCorp Nomad and Consul servers, and vulnerable Gitea instances — turning enterprise-grade compute resources into crypto-mining farms, all while staying under the radar. This campaign marks the first publicly documented exploitation of HashiCorp Nomad in the wild.

We discuss:

• How attackers used XMRig, cron jobs, and process-hiding tools to persist and evade detection
• The impact of misconfiguration and unpatched vulnerabilities in fast-moving DevOps workflows
• The financial and operational cost of unauthorized crypto mining in the cloud
• The role of DevSecOps in preventing these attacks, with actionable recommendations for securing your containers and runtimes
• Key practices to “shift left” and catch security flaws early in the software development lifecycle
• Why Cloud Workload Protection Platforms (CWPP) are becoming essential in defending modern cloud-native environments

We also highlight best practices for hardening Docker images, avoiding privileged containers, monitoring system behavior, and responding to incidents with speed and precision.