GHSA-7PWQ-F4PQ-78GM `rustdecimal` is a malicious crate

The Rust Security Response WG and the crates.io team were notified1 on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained malware. The crate name was intentionally similar to the name of the popular rustdecimal2 crate, hoping that potential victims would misspell its...

Malicious code in rustdecimal (crates.io)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e33f42f05c60c6d9f9297bae15a43d6c445e2ad0fd67fa4ef144e5cc79d09c7 The Rust Security Response WG and the crates.io team were notified1 on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained...

MAL-2022-1 Malicious code in rustdecimal (crates.io)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e33f42f05c60c6d9f9297bae15a43d6c445e2ad0fd67fa4ef144e5cc79d09c7 The Rust Security Response WG and the crates.io team were notified1 on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained...

GSD-2022-1002520 typosquatting / spellcheck squatting in rustdecimal version all

In rustdecimal, all versions prior to 1.23.4 contain malicious code that downloads a binary masked as a "readme" file and then depending on the OS, making it executable and ran it. The rustdecimal crate appears to be a malicious clone of the real rust-decimal crate. Due to the similarity of the...

Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack "CrateDepression." Typosquatting attacks take place wh...