The Crates.io Rust package registry was targeted recently in what appeared to be the initial phase of a malware attack aimed at developers, according to software supply chain security firm Phylum.
It’s not uncommon for threat actors to rely on typosquatting and software development package registries to deliver malware to Node.js and Python developers.
In these types of attacks, hackers typically create packages with names that are misspelled — or typosquatted — variants of popular packages.
These attacker packages are initially benign to ensure that they are accepted into official registries. Days or weeks later, the threat actor adds malicious functionality that they can leverage against developers who download their package instead of the legitimate version.
Phylum reported that such an attack targeted the Rust package registry Crates.io earlier this month. Fortunately, the suspicious packages were detected early, but in some cases the attacker did manage to add code designed to send information about the compromised host to a Telegram channel. This is likely part of a callback mechanism used for communications.
The Rust Foundation was notified and it quickly removed the packages and locked the uploader’s account. GitHub was also notified and took action against the associated account.
It’s unclear exactly what type of malicious functionality would have been added to the packages had they not been removed, but Phylum believes the attacker may have wanted to steal secrets or sensitive files from victims.
After successfully testing its callback mechanism, the threat actor could have also attempted to publish many more packages in a short time frame in an effort to cast a wide net before the packages were removed by the registry.
“It’s hard to say with any degree of certainty whether or not this campaign would have evolved into something more nefarious. What we can say is that we’ve seen this play out many times before in many other ecosystems, and the outcome was always the same. Developers were compromised, credentials/secrets were stolen, data was exfiltrated, and in some cases, money was lost as a result,” Phylum said.
“With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target,” it added.
Related: Rust Gets a Dedicated Security Team
Related: Evasive Rust-Coded Hive Ransomware Variant Emerges
Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
