> Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack.

No, i meant docker. _All_ systems which pull dependencies from remote sources are subject to attack via malicious dependencies (and a docker image is one big mega-dependency made up of an arbitrary number of other (remote) dependencies).

Docker is not immune to container-escaping attacks, but they have proven to be relatively rare, thus the aforementioned blast-radius reduction compared to npm compromises.

(Edit: for that matter, all dependencies, remote or not, can be malicious, but remote dependencies are a particularly rich target for attackers.)