Fake Docker Hub / GHCR / ECR secret-leak credential breach lure — email claims Docker Hub, GHCR, GitLab Container Registry, Quay.io, Amazon ECR, ACR, or Google Artifact Registry detected hard-coded secrets in the recipient's container images, demands immediate credential rotation at a fake security console. Flare Sep 2025: 10,000+ Docker Hub images exposing AWS/DB/API keys; THN Dec 2025 IAM-crypto-mining chain. Distinct from fake-docker-hub-desktop-subscription-billing-phish (billing, not secret-leak)

Email claiming that Docker Hub, GitHub Container Registry (GHCR), GitLab Container Registry, Quay.io, Amazon ECR, Azure Container Registry (ACR), or Google Artifact Registry has detected hard-coded secrets (AWS keys, database passwords, API tokens) in the recipient's public container images — and demanding immediate credential rotation at a fake security console URL. Flare's September 2025 research found 10,000+ Docker Hub images exposing secrets from over 100 organizations (AWS keys, DB credentials, API tokens); The Hacker News December 2025 traced an IAM-crypto-mining chain that started with a malicious Docker image pulled 100,000+ times; The Hacker News April 2026 reported CVE-2026-34040 making Docker Hub-themed social engineering more plausible. The lure exploits DevOps team urgency around secret exposure (a real and well-publicized problem) combined with the normalized CI/CD pattern of receiving registry alerts by email. Real alerts from Docker Hub, GitHub, and GitLab reference specific image digests and link to official security dashboards on the official domain. Distinct from `fake-docker-hub-desktop-subscription-billing-phish` (billing impersonation, not secret-leak panic) and `fake-github-gitlab-developer-account-security-phish` (account-level takeover, not container-registry secrets). Fires on the triple of container-registry brand + secret-exposure alert + rotate/revoke CTA.