Trend Micro has recently spotted an attacker that is scanning for exposed Docker Engine APIs and utilizing them to deploy containers that download and execute a coin miner. These containers then use scripts to spread to other systems. […]

from https://www.bleepingcomputer.com/news/security/exposed-docker-apis-continue-to-be-used-for-cryptojacking/