Skip to content

Commit c4676c0

Browse files
carols10centscarols10cents
authored
Merge pull request #1762 from integer32llc/another-crates-io-security-ann
Announce 2 more malicious crates
2 parents 6f6bf64 + c9025f1 commit c4676c0

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

content/crates.io-malicious-crates-finch-rust-and-sha-rust.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
+++
2+
path = "2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust"
3+
title = "crates.io: Malicious crates finch-rust and sha-rust"
4+
authors = ["Carol Nichols and Adam Harvey"]
5+
6+
[extra]
7+
team = "the crates.io team"
8+
team_url = "https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io"
9+
+++
10+
11+
## Summary
12+
13+
On December 5th, the crates.io team was notified by Kush Pandya from the [Socket Threat Research Team][socket] of two malicious crates which were trying to cause confusion with the existing `finch` crate but adding a dependency on a malicious crate doing data exfiltration.
14+
15+
These crates were:
16+
- `finch-rust` - 1 version published November 25, 2025, downloaded 28 times, used `sha-rust` as a dependency
17+
- `sha-rust` - 8 versions published between November 20 and November 25, 2025, downloaded 153 times
18+
19+
## Actions taken
20+
21+
The user in question, `face-lessssss`, was immediately disabled, and the crates in question were deleted from crates.io shortly after. We have retained the malicious crate files for further analysis.
22+
23+
The deletions were performed at 15:52 UTC on December 5th.
24+
25+
We reported the associated repositories to GitHub and the account has been removed there as well.
26+
27+
## Analysis
28+
29+
[Socket has published their analysis in a blog post](https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials).
30+
31+
These crates had no dependent downstream crates on crates.io, and there is no evidence of either of these crates being downloaded outside of automated mirroring and scanning services.
32+
33+
## Thanks
34+
35+
Our thanks to Kush Pandya from the [Socket Threat Research Team][socket] for reporting the crates. We also want to thank Carol Nichols from the crates.io team and Adam Harvey from the [Rust Foundation][foundation] for aiding in the response.
36+
37+
[foundation]: https://foundation.rust-lang.org/
38+
[socket]: https://www.socket.dev/

0 commit comments

Comments
 (0)