Fake Docker Hub / Docker Desktop subscription suspended, image pull rate exceeded, private repositories inaccessible, or CI/CD pipeline disabled due to billing failure phishing

Phishing emails impersonating Docker Hub or Docker Desktop claiming the subscription has been suspended, image pull rate has been exceeded, private repositories are inaccessible, or the CI/CD pipeline has been disabled due to a billing failure — directing victims to update payment through a credential-harvesting portal. A high-impact attack category targeting developer infrastructure. Key facts: (1) Docker Hub serves 11M+ registered developers as the world's largest container image registry with Pro ($9/month) and Team ($7/seat/month) plans; Docker Desktop is required by virtually all container development workflows and has had a paid Business plan enforced since January 2022 ($21/month/user at organizations with 250+ employees) — a 'Docker Hub subscription suspended' email immediately threatens every container-based development pipeline the developer or team runs; (2) The 'image pull rate exceeded' hook is uniquely credible because Docker Hub genuinely implemented rate limiting in 2020 (100 pulls/6 hours for anonymous, 200/6 hours for free accounts) and developers who have hit these limits while running CI/CD pipelines have directly experienced 'pull rate exceeded' errors stopping their builds; attackers mimic this legitimate constraint using familiar error language; (3) The target population is highly technical but often under time pressure: developers in the middle of debugging a Kubernetes deployment or running a timed CI/CD release pipeline who receive 'your image pulls are suspended' will feel immediate production urgency that overrides careful sender-domain scrutiny; (4) Docker credentials expose multi-layered infrastructure access: Docker Hub credentials often use Docker-ID which is shared across Docker Desktop, Docker Scout (security scanning), and Docker Build Cloud; the Docker access token format is also used for automated CI/CD pipeline authentication (GitHub Actions, CircleCI, Jenkins) meaning a phished credential compromise can propagate into the CI/CD secrets store; (5) The Docker Hub phishing template has high plausibility because Docker Hub sends legitimate payment failure notifications that developers have seen — the attack vector matches a real notification format, including the 'update your billing information to restore pull access' call to action that mirrors genuine Docker communications. Warning signs: sender not docker.com or hub.docker.com; genuine Docker billing at hub.docker.com/billing.