Source: Higress

01 What happened

OneAPI is an AI with 20,000 stars on the open source code hosting platform GitHub Gateway tool, users of this tool found that after installing the latest version of the image, a certain proportion of CPU will be consumed[1].

The final position is that the DockerHub image was poisoned, and the XMR Monero mining script was implanted into the image, causing the CPU to run high:

It can currently be confirmed that the push key of DockerHub was leaked, causing hackers to implant mining scripts into multiple image versions:

Due to the booming cryptocurrency market, security incidents related to mining scripts have been on the rise in recent years. Hackers will find DockerHub warehouses of some popular open source projects to break into.

Aviv Sasson, a security researcher at Palo Alto Network, discovered 30 Docker images implanted with mining Trojans, and these images were downloaded a total of 20 million times. Estimated to have helped hackers mine $200,000 worth of cryptocurrency.

Docker images being injected into mining scripts is not an isolated phenomenon, but a security issue that requires attention.

02 Some background knowledge 2.1. DockerHub

DockerHub is the world's largest container image hosting service, with more than 100,000 container images from software vendors and open source projects.

A container image is a complete package of software and its running environment. During installation, complex configuration procedures can be eliminated.

Container image hosting service is an online platform for storing and sharing software container images. Think of it as a "big store" of applications, with packages of various software in it.

Because DockerHub provides free services, many open source software projects choose to publish their container images here. This makes it easy for users to obtain, install and use these software.

2.2.AI Gateway

OneAPI, which was implanted with a Trojan by hackers, is an open source AI gateway tool.

As the number of AI vendors increases, the capabilities of LLM models are gradually converging. In order to solve various needs in use, the tool AI gateway emerged. AIThe gateway can uniformly receive user questions and then forward them to different LLM models for processing.

There are several common usage scenarios for using AI gateways:

Improving the stability of the overall service: when one model has a problem, you can switch to another model.

Reducing costs: Expensive models can be replaced with cheaper models when appropriate, such as using DeepSeek to replace ChatGPT.

Moreover, this switching is imperceptible to users and the user experience will not be affected. Through the AI ​​gateway, various model resources can be utilized more flexibly and efficiently. Therefore, it is widely adopted by AI application developers.

03How to prevent similar risks

The author of this article is one of the maintenance members of Higress, another open source AI gateway project. I saw this problem when I was paying attention to OneAPI, so I would like to share with you Higress's experience in preventing such risks.

Higress is a gateway software open sourced by Alibaba Cloud [1]. Unlike OneAPI, a tool that only supports AI gateways, Higress builds AI gateway capabilities based on the capabilities of API gateways and is developed by Alibaba Cloud. The R&D team behind the commercial product Cloud API Gateway is jointly maintained, rather than a personal project.

Higress has been using Alibaba Cloud Container Image Service for image storage, and has its own official Helm warehouse (installation package management for K8s environment).

Using Alibaba Cloud Container Image Service has at least two benefits:

It is not affected by the DockerHub network ban, is more user-friendly, and the image pulling speed is also faster.

You can perform image security scanning and automatically intercept risky image submissions

The second point is also the core of preventing open source image poisoning, as shown in the following screenshot:

< p nodeleaf="">

Based on the cloud-native delivery chain function of Alibaba Cloud Container Image Service, malicious script scanning can be performed immediately after the image is pushed. If a risk is found, the image can be deleted immediately.

In addition, it is also important that every time a new version is released, it does not rely on people, but is automatically completed by the program. After each version release is released, the Higress community will automatically produce container images and installation packages through GitHub Action, and the image warehouse key is stored based on GitHub Secret. Permission to release a version can be given to other collaborators in the community, but there is no need to provide the password for the collaborator's mirror repository.

04How to prevent similar risks and quickly experience Higress AI Gateway

Higress AI Gateway supports one-line command installation:

curl -sShttps://higress.cn/ai-gateway/install.sh | bash

After executing the command, you can initialize the configuration through the command line. You can see that Higress's AI gateway capability supports all mainstream LLMs outside of docking. Model supplier:

You can also choose to skip this step and go to the Higress console to configure the API Key of the corresponding supplier:

After configuration, you can use it directly, for example using OpenAI's SDK:

import jsonfrom openai import OpenAIclient = OpenAI( api_key=xxxxx, # ? Consumer Key can be generated through Higress to realize secondary sub-leasing of API key base_url="http://127.0.0.1:8080/v1")completion = client.chat.completions.create( # model="qwen-max", # model="gemini-1.5-pro", model="deepseek-chat", # ? You can fill in any model name, and Higress will route to Corresponding supplier messages=[ {"role": "user", "content": "Hello"} ], stream=True) for chunk in completion: print(chunk.choices[0].delta)

You can see each model in the monitoring panel, as well as the token consumption and call delay of each consumer:

In addition, compared to OneAPI, Higress provides more practical functions, such as:

API KeyGovernance: Supports configuring the API Key pool to achieve multi-Key balancing. Unavailable situations such as API Key being restricted will be automatically blocked and automatically restored when available.

Consumer management: By creating consumers, you can realize secondary sub-lease of API Key without exposing the real supplier API Key to the caller, and you can finely manage the calling permissions of different consumers. and call amount.

Backup model: Supports configuring a dropout model. For example, when requesting the DeepSeek model fails, it will automatically downgrade to the OpenAI model.

Model grayscale: Supports model smoothing and proportional grayscale. You can refer to "DeepSeek-R1 is coming, how to smoothly migrate from OpenAI to DeepSeek".

Higress’s plug-in market also has many out-of-the-box plug-ins, such as prompt word templates, AI cache, data desensitization, content security, etc.:

The plug-in code is also open source, and supports the development of plug-ins by oneself and hot loading on the gateway, which is completely non-destructive to the traffic. This is very friendly for real-time session scenarios such as RealTime API and will not disconnect long connections.