Debian says they intentionally opted not to remove these images from Docker Hub and to leave them as historical artifacts, telling users to only use up-to-date images and not old ones.

The maintainers made this decision as they believe the requirements for exploitation are unlikely, such as requiring sshd installed and running on the container, the attacker having network access to the SSH service on that container, and using a private key that matches the backdoor’s trigger logic.

Idk that seems pretty reasonable to me. I think I’ve eojly ever needed to enable ssh on a container once