Well that was unexpected. Not. Some details:

Kromtech said the malicious Docker images (17 in total) were pulled down from the Docker Hub image repository. Researchers can’t say for sure how many times the rogue containers were used by Docker Hub users, but Kromtech estimates that the 17 images were downloaded collectively 5 million times during the year they were available.

I still wait for malicious NPM packages that inject code into production builds and run on the end-users browsers in WebWorkers.

That's one problem with using a dependency of a dependency of a dependency.