CVE-2026-5223

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...

UBUNTU-CVE-2026-5223

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...

Malicious Package

Overview cryptowallet-safety is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

Malicious Package

Overview solidity-build-guard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

GHSA-G38R-8GMR-GHRF `mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

`rpc-check` was removed from crates.io for malicious code

It was attempting to steal credentials from the POLYMARKETPRIVATEKEY environment variable. The malicious crate had 3 versions published on 2026-02-15 and had been downloaded only 155 times. There were no crates depending on this crate on crates.io. Thanks to Sisong Li for finding and reporting th...

RUSTSEC-2026-0011 `polymarket-client-sdks` was removed from crates.io for malicious code

It appeared to be typosquatting existing crate polymarket-client-sdk sdks vs sdk and attempting to steal credentials from local files. The malicious crate had 1 version published on 2026-02-09 and had been downloaded only 33 times. There were no crates depending on this crate on crates.io. Thanks...

RUSTSEC-2025-0156 `tree-sitter-pkl` was removed from crates.io for malicious code

tree-sitter-pkl was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in March 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

Medium: rust

Issue Overview: Cargo downloads a Rust project's dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject...

RUSTSEC-2023-0114 `tiny-server` was removed from crates.io for malicious code

This crate was part of a typosquatting malware cluster published by the malicious user http-tiny and contained a malware payload in build.rs to exfiltrate host information to the attacker. This advisory is to retrospectively document this attempted attack. The version information and download...

DEBIAN-CVE-2023-40030

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...