Unmasking the Docker ONBUILD Supply Chain Attack Vector

Docker's ONBUILD directive is a feature designed to reduce boilerplate in downstream images. This article demonstrates how a compromised or malicious base image can exploit ONBUILD to intercept build-time secrets, tamper with build outputs, and achieve arbitrary remote code execution during a downstream build. All of this is invisible from the view of the downstream Dockerfile.