The Obedient Accomplice

How a poisoned label turned Docker's AI into an obedient burglar.

The Setup

Ask Gordon is, by design, a good listener. Docker's AI assistant reads container image metadata and answers questions about it in plain English. It ingests, reasons, replies. Helpful, by any measure.

The trouble, as we discovered, is that helpfulness has no opinions about the source of its instructions.

The attack, DockerDash, begins with something as mundane as a Docker image LABEL — the small text fields developers routinely attach as documentation. A label might say maintainer: [email protected], or version: 2.3.1, or, in the case of a malicious image, something considerably more ambitious. The attacker's label looked, to casual inspection, like metadata. To Gordon, reading it as context for a conversation, it looked like a task. That gap — between description and instruction, between passive and active — is the entire vulnerability.

How It Happened

Attack Propagation: Through the AI Kill Chain

DockerDash didn't exploit a single flaw. It traveled — methodically, quietly — through all ten stages of the AI Kill Chain.

It entered at Stage 1 (AI Recon) through silent behavioral fingerprinting: the attacker studied how Gordon processed metadata before ever touching a LABEL field. Human oversight was neutralized at Stage 2 (Trust and Manipulation) — the human-in-the-loop was bypassed entirely because there was no visible interaction for anyone to review.

At Stage 3 (Instruction and Weaponization), Instruction Smuggling and Format Confusion turned an innocuous documentation field into a covert command channel. Stage 4 (Reasoning and Execution) delivered Goal Substitution — Gordon's reasoning was redirected without its awareness or any user input.

The middle stages compounded the damage. Unauthorized Tool Invocation at Stage 5 handed execution to the MCP gateway. Credential Overreach via AI at Stage 6 gave the attacker the victim's own Docker privileges — access they could not have obtained through conventional means. Workflow and Automation Hijacking at Stage 7 spread the impact laterally across containers without further attacker involvement.

At Stage 8 (Persistence), cached images in registries ensured the attack would survive indefinitely. Stage 9 (AI C&C) enabled Trigger-Based Control — new instructions embedded in metadata could redirect Gordon at any time, with no traditional command-and-control infrastructure required. Stage 10 delivered the objective: containers stopped, operations disrupted — Autonomous Fraud and Abuse, executed without the attacker ever directly touching the victim's environment.

The Fix, and What It Doesn't Fix

Docker moved quickly. By February 3rd of this year, the company shipped a patch in Docker Desktop version 4.50.0, tightening the trust relationship between Gordon and the metadata it ingests. For users who have updated, the doorway is closed.

For developers and organizations still exposed, the steps are straightforward:

• Upgrade to Docker Desktop 4.50.0 or later.

• Avoid unverified or untrusted Docker images; prefer images from vetted registries.

• Treat AI-assisted tooling outputs as proposals, not conclusions — review any action Gordon suggests before allowing execution.

For AI and platform vendors, the obligation runs deeper:

• Treat all external metadata — especially Docker image labels — as untrusted input, and validate it strictly.

• Require explicit user confirmation before any MCP tool invocation.

• Enforce least privilege for any AI-triggered tool execution.

The patch closes this particular doorway. The deeper assumption it exposed — that an AI capable of reading everything is wise enough to distrust some of it — remains very much open. As AI assistants absorb context from codebases, configuration files, and container metadata, the surface area for this kind of manipulation grows in direct proportion to their capability. Each new tool an AI can invoke, each new source of context it can ingest, is also a new avenue for an attacker who understands how the model thinks.

Gordon was doing its job. It read the label. It followed the instructions. It was, in the fullest and most disconcerting sense of the word, helpful.

Every AI assistant that reads external context is a potential Gordon. Lineaje UnifAI maps your AI inventory, sets policy, and defends at runtime — so the next poisoned label finds a closed door. See Lineaje UnifAI.

Industry Context

• Mitre Atlas: AML.T0043, AML.T0051, AML.T0053, AML.T0010, AML.T0083

• OWASP Top 10 for Agentic Applications: ASI01, ASI02, ASI03, ASI05, ASI06

• OWASP LLM Top 10: LLM01, LLM02, LLM07

Resources

To learn more about the AI Kill Chain, see Lineaje AI Kill Chain White Paper.