The AI and Tech Weekly: June 26, 2026
SECTION 1: LINKEDIN POST
🚨 My VPS was crypto-jacked after installing an “OpenClaw” alternative. Here is what happened and how to secure your Docker containers.
1️⃣ The Trigger: Hostinger CPU limitation alert. Running top showed 196% CPU usage.
2️⃣ The Discovery: Monero miners running in /tmp of my Next.js container.
3️⃣ The Attack vector: Classic curl | bash supply chain attack run as root, combined with MDX server-side rendering execution.
4️⃣ The Fix: Hardened docker-compose.yml with read-only filesystems, dropped capabilities, and noexec on /tmp.
Read the full technical breakdown, IoCs, and compose configurations: https://belghitis.com/digest/digest-2026-06-26
#devops #security #docker #selfhosted
📰 Stories Worth Your Attention
- Hostinger CPU Limitation alert reveals Monero mining activity inside container
/tmp. - Attackers gained persistence using a systemd service masquerading as
openfang. - Server-side rendering of MDX documents used as remote code execution entry point.
- Hardening container security is essential for self-hosted developer tools.
🛠 Tips and Tricks from the Community
- Mount
/tmpas atmpfswithnoexec,nosuid,size=50min Docker Compose to block arbitrary binary execution. - Set
read_only: trueon your container service to prevent attackers from writing payload files. - Limit CPU and Memory resources per container to contain performance impact in case of a breach.
🔓 Open Source Pick of the Week
- Bumblebee — A dependency scanner from Perplexity AI to verify third-party taps and packages without running install scripts.
SECTION 2: MEDIUM ARTICLE
My VPS Was Crypto-Jacked After Installing an “OpenClaw” Alternative
Sharing this with the community so you don’t make the same mistakes.
The Trigger
Hostinger sent a CPU limitation alert on my VPS. I SSHed in and ran top: my server was pegging 196% CPU. Nothing obvious in my own apps. Then I checked Docker:
docker exec myapp ls -lah /tmp
Three ELF binaries sitting in /tmp of my Next.js container, owned by the nextjs process user:
HelloMrMeeseekspls_pak_choiplazooza
These were Monero miners running silently for days before triggering the CPU limit.
What the Attacker Did: Step by Step
- I opened the door myself: I ran a few tools on my production server as root without auditing their install scripts. Classic
curl | bashsupply-chain risk. - Persistence: The installation script registered a systemd service called
openfangthat restart-looped, killing the CPU. - RCE into Docker: Write access to a mounted host volume allowed the execution of arbitrary code inside the container, dropping miners into
/tmp.
What I Fixed
I cleaned up the binaries, disabled the rogue systemd service, and hardened docker-compose.yml with:
read_only: trueto lock down the filesystem.tmpfs /tmp:noexec,nosuid,size=50mto prevent executing binaries from/tmp.cpus: 1.0andmem_limit: 512mto cap resource usage.
Protect your servers: audit what you run, lock down your containers, and never run untrusted scripts as root.