A compromised Docker image might run this command at startup, exfiltrate the token to a remote server, and silently give the attacker access to the cloud environment.
is used to retrieve an authentication token for AWS Instance Metadata Service Version 2 (IMDSv2) [1.1]. This mechanism is a security enhancement designed to prevent Server-Side Request Forgery (SSRF) by requiring a session-oriented PUT request rather than simple GET requests [1.1, 1.2]. Official AWS documentation and security research from Netflix detail how this token-based approach secures EC2 instance metadata access [1.1, 1.2]. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
URL-encoding ( http-3A-2F-2F for http:// ) is a common obfuscation technique to evade pattern matching. Security tools must decode strings before comparing against known malicious patterns. A compromised Docker image might run this command