The high cost of misconfigured DevOps tools: Global cryptojacking hits enterprises – Source: www.csoonline.com

A massive ongoing cryptojacking operation is actively exploiting misconfigured DevOps tools, including Nomad, Consul, Docker, and Gitea, to hijack computing power for cryptocurrency mining, Wiz Threat Research revealed.

Dubbed Jinx-0132 by researchers, the campaign has compromised systems globally with attackers deploying XMRig-based miners within minutes of breaching exposed APIs and weak configurations.

This marks the first known case of attackers abusing Nomad misconfigurations as an entry point. The group behind Jinx-0132 avoids traditional malware detection by pulling unaltered tools directly from public GitHub repositories, relying on a “living-off-open-source” approach that leaves no unique digital fingerprints, complicating detection and attribution, according to Wiz’s blog post.

The campaign has compromised large Nomad clusters worldwide, which run hundreds of clients and consume compute resources worth tens of thousands of dollars per month, according to the study. This mirrors Wiz’s earlier discovery of “SeleniumGreed,” but with a critical twist: Jinx-0132 completely avoids attacker-controlled infrastructure, instead relying on legitimate services and standard XMRig releases. 

DevOps tools in the crosshairs

Jinx-0132 specifically targets exposed and misconfigured instances of Nomad (orchestration), Consul (networking), Docker (containers), and Gitea (code collaboration) — core tools in modern DevOps pipelines, according to Wiz.

These services are often left unsecured, letting attackers run containers, schedule jobs, or execute code at will. The attackers scan the internet automatically to find weak spots and deploy cryptominers within minutes.

Cloud workloads running these tools are especially at risk. Once compromised, attackers siphon off significant computing power, resulting in unexpected cloud bills and slower application performance. Some affected Nomad clusters managed hundreds of clients, proving that even large, well-funded enterprises can be covertly drained due to simple misconfigurations.

Lockdown of DevOps exposure

Wiz urges organizations to lock down exposed DevOps infrastructure by following established best practices. For Nomad, enforcing access control lists (ACLs) would have blocked the unauthenticated job executions used in this campaign. Public Gitea instances should be fully patched, with git hooks disabled and the installation locked unless absolutely needed.

In Consul, disabling script checks and binding the HTTP API to localhost can prevent unauthorized service access. As for Docker, the API is meant to stay internal — exposing it to the internet, especially via 0.0.0.0, opens a direct path for exploitation. Minimizing external exposure, enabling authentication, and applying least-privilege access across all tools are critical steps to stop similar attacks in their tracks.

Why are configs now the target

Jinx-0132 signals a shift in cloud threats—from exploiting software flaws to targeting operational blind spots. Instead of custom malware, attackers are now leveraging misconfigurations and legitimate open-source tools, slipping past traditional IOC-based defenses.

The campaign underscores two key trends: threat actors are moving beyond core cloud infrastructure to exploit DevOps pipelines, and they’re leaning on “living-off-open-source” tactics to stay hidden. In complex cloud-native setups, even small configuration lapses can have an outsized impact, making continuous auditing just as critical as real-time monitoring.