False malware alerts disrupt Docker Desktop on macOS, halting workflows. Learn the cause, solutions, and steps to resolve this critical issue.

Continue reading
macOS users of Docker Desktop encountered unexpected disruptions when their systems flagged the application as containing malware. This issue, first reported on January 7, 2025, has caused operational challenges for developers and IT administrators relying on Docker Desktop for container management.
Reports suggest that a significant number of users across various industries have been impacted, though exact figures are not yet available.
Here’s a detailed breakdown of the situation, its implications, and the steps being taken to address the problem.
Users running Docker Desktop on macOS started receiving “Malware Blocked” alerts indicating that the file `com.docker.vmnetd` was flagged as malware. The alert read:
> "Malware Blocked. 'com.docker.vmnetd' was not opened because it contains malware. This action did not harm your Mac."
The alert prevented users from starting Docker Desktop, halting development workflows and raising concerns about the integrity of the application.
Docker quickly responded to user concerns through a GitHub issue, clarifying that the warnings were false positives. The root cause was identified as an incorrect code-signing certificate applied to certain files in Docker Desktop installations. macOS’s stringent integrity checks flagged these improperly signed files, leading to the malware warnings.
The issue affects Docker Desktop versions 4.32 through 4.36. Earlier versions (4.28 and before) are not impacted. Users on the affected versions face disruptions, with the application failing to start.
Docker has acknowledged the issue and provided multiple resolution pathways for affected users. In a statement, the company emphasized that:
Docker recommends upgrading to the latest version, which addresses the incorrect code-signing issue. Users can:
For users unable to upgrade immediately, Docker has provided patches for versions 4.32 through 4.36. These patches can be downloaded from Docker’s patch repository, ensuring that the affected files are replaced with correctly signed versions.
If the malware warnings persist after upgrading or patching, Docker has published a detailed guide outlining additional troubleshooting steps. These steps include manually replacing affected binaries and restarting the application.
For enterprise environments, Docker has developed a script that IT administrators can deploy to resolve the issue across multiple systems. The script requires that the application is already updated or patched.
Administrators and advanced users comfortable with manual interventions can:
Docker’s status page continues to reflect a partial service disruption, highlighting that not all users may experience immediate resolution. As of writing, Docker is evaluating the effectiveness of the released patches and monitoring for further issues.
This incident underscores the critical importance of code-signing in software integrity. While the warnings are false positives, they reveal how small errors in code-signing processes can disrupt user workflows and raise security alarms. For organizations, this event highlights the necessity of robust incident response plans and clear communication with users during security-related events.
While this issue has caused significant inconvenience, Docker’s swift acknowledgment and multiple resolution options demonstrate a commitment to user trust and operational integrity. Developers and IT administrators are encouraged to remain vigilant and proactive in applying updates and monitoring the situation as Docker continues its investigations.
For further information, consult Docker’s official documentation or reach out to their support team for assistance.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation