Hi,
thanks to a mindful user, a security issue with an integration test of d-m-p as been detected [1]. For introducing the `docker:load` feature in version 0.2, a test image was loaded and saved during an integration test. This feature was provided as a PR which we merged on January, 2nd, 2017. Unfortunately the PR includes a `busybox-image.tar.gz` which contains a Trojan.
I consider the impact as quite low:
* It is used only during an integration test where it imports the image and immediately deletes it afterwards [2]. So only when this test fails in between the image is left on the Docker daemon used for testing (but we never encountered any issue with this test).
* It never was part of any binary release on Maven central.
* It only possibly can affect people developing on d-m-p, running integration tests.
In order to fix this, I just
* removed the affected file from master's HEAD [3]
* rewrote the Git history with the BFG Repo-Cleaner [4] to remove it from Git history.
However this obviously doesn't clean up any forks or local clones.
**It is therefore highly recommended to clone local working directories afresh and create a new fork (or at least rebase on the laster version on master)**
Sorry for any inconvenience.
... roland