ContainerHijack hijacks Docker Image Manifest V2 Schema 2. It taints images in Docker Hub, Amazon ECR, GCR. Scanners shrug. Signature checks buckle.
Defenders deploy policy-as-code admission controllers. They lock down Terraform ECR push policies. Falco rules flag strange layers, ghost pushes, rogue processes.
Infra shift:Teams embrace pre-push policy-as-code admission controllers. They snuff out manifest poisoning at the source.
