The Crates.io Rust package registry was targeted recently in what appeared to be the initial phase of a malware attack aimed at developers, according to software supply chain security firm Phylum.
It’s not uncommon for threat actors to rely on typosquatting and software development package registries to deliver malware to Node.js and Python developers.
In these types of attacks, hackers typically create packages with names that are misspelled — or typosquatted — variants of popular packages.
These attacker packages are initially benign to ensure that they are accepted into official registries. Days or weeks later, the threat actor adds malicious functionality that they can leverage against developers who download their package instead of the legitimate version.
Phylum reported that such an attack targeted the Rust package registry Crates.io earlier this month. Fortunately, the suspicious packages were detected early, but in some cases the attacker did manage to add code designed to send information about the compromised host to a Telegram channel. This is likely part of a callback mechanism used for communications.
The Rust Foundation was notified and it quickly removed the packages and locked the uploader’s account. GitHub was also notified and took action against the associated account.
It’s unclear exactly what type of malicious functionality would have been added to the packages had they not been removed, but Phylum believes the attacker may have wanted to steal secrets or sensitive files from victims.
After successfully testing its callback mechanism, the threat actor could have also attempted to publish many more packages in a short time frame in an effort to cast a wide net before the packages were removed by the registry.
“It’s hard to say with any degree of certainty whether or not this campaign would have evolved into something more nefarious. What we can say is that we’ve seen this play out many times before in many other ecosystems, and the outcome was always the same. Developers were compromised, credentials/secrets were stolen, data was exfiltrated, and in some cases, money was lost as a result,” Phylum said.
“With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target,” it added.
Related: Rust Gets a Dedicated Security Team