crates.io
-
TrapDoor supply chain attack spreads across npm, PyPI and Crates.io
A coordinated supply chain campaign has spread malicious packages across npm, PyPI and Crates.io, targeting developers with code that steals credentials, wallets, SSH keys and cloud secrets.
-
Five malicious Rust crates exfiltrated .env files and AI bot exploited GitHub Actions
Researchers found five malicious Rust crates on crates.io that exfiltrated .env files. Packages were removed. Users should rotate secrets, audit CI workflows and restrict outbound access to reduce supply chain risk.
-
Malicious Rust crate ‘evm‑units’ delivered cross‑platform payloads and targeted Web3 developers
A malicious Rust crate named evm‑units masqueraded as an Ethereum helper and delivered platform‑specific payloads to Windows, macOS and Linux machines. Published by a crates.io user called ablerust and included as a dependency of uniswap‑utils, the package fetched and executed scripts or PowerShell based on the host OS and the presence of Qihoo 360 antivirus,…
-
Malicious Rust crates impersonating fast_log steal Solana and Ethereum wallet keys, researchers say
Cybersecurity researchers say two malicious Rust crates impersonating the fast_log logging library were used to harvest Solana and Ethereum wallet keys from source code, with Crates.io removing the packages and preserving logs for analysis after responsible disclosure.
