Over 1,500 PostgreSQL Servers Compromised in Cryptomining Campaign

Security researchers at Wiz have identified a new threat campaign called “JINX-0126” that specifically targets PostgreSQL servers. This campaign exploits vulnerable PostgreSQL server credentials to deploy a fileless cryptocurrency miner known as “XMRig-C3,” potentially affecting thousands of systems worldwide.

Widespread Attack on Public PostgreSQL Instances

On March 31, 2025, Wiz reported that this attack campaign is actively targeting PostgreSQL servers with public-facing configurations. The attackers are exploiting easily guessable and weak authentication credentials to gain access to these database instances.

According to Wiz’s investigation, more than 1,500 servers may have been affected by this campaign, making it a significant threat to organizations using PostgreSQL databases, particularly in cloud environments.

How the Attack Works

Sophisticated Multi-Stage Compromise

The threat actors behind JINX-0126 employ a methodical approach to compromise vulnerable systems:

1. Initial Access: Attackers scan for publicly accessible PostgreSQL instances and attempt to log in using weak passwords
2. Exploitation: Once authenticated, they abuse the PostgreSQL “COPY … FROM PROGRAM” functionality to download and execute malware from external servers
3. Deception Tactics: The attackers deploy a Go binary named “postmaster” to mimic the legitimate PostgreSQL multi-user database server process
4. Payload Delivery: The malicious postmaster process then loads another Go binary called “cpu_hu,” which downloads and executes the XMRig-C3 cryptominer

This technique enables remote code execution and ultimately establishes persistent cryptocurrency mining operations on compromised systems.

Why PostgreSQL Servers Are Targeted

PostgreSQL databases are widely used in cloud environments, with approximately one-third of these instances exposed to the internet. This widespread exposure makes them attractive targets for attackers seeking to hijack computational resources for cryptocurrency mining.

Recommended Security Measures

Critical Steps for Organizations Using PostgreSQL

This campaign poses a serious threat to businesses utilizing cloud environments, especially those operating PostgreSQL databases. Security experts recommend implementing the following countermeasures:

1. Implement Strong Authentication

• Avoid using default passwords
• Set up complex, difficult-to-guess passwords for all database accounts

2. Strengthen Access Controls

• Apply appropriate firewall settings
• Limit public internet exposure when not necessary for operations

3. Deploy Threat Detection Solutions

• Utilize EDR (Endpoint Detection and Response) products capable of detecting fileless attacks
• Implement cloud security tools with advanced monitoring capabilities

The Growing Risk to Cloud Environments

As cloud environments continue to rapidly expand, systems without proper security configurations become prime targets for attackers. Organizations must remain vigilant by regularly reviewing security settings and enhancing monitoring capabilities to protect their data and systems from these evolving threats.

The JINX-0126 campaign serves as a stark reminder that even specialized database systems require robust security measures to prevent unauthorized access and resource theft through cryptomining operations.