Connect with us

Hi, what are you looking for?


Application Security

Signs of Malware Attack Targeting Rust Developers Found on

The Rust package registry was targeted in preparation of a malware attack aimed at developers, according to Phylum.

The Rust package registry was targeted recently in what appeared to be the initial phase of a malware attack aimed at developers, according to software supply chain security firm Phylum.

It’s not uncommon for threat actors to rely on typosquatting and software development package registries to deliver malware to Node.js and Python developers.

In these types of attacks, hackers typically create packages with names that are misspelled — or typosquatted — variants of popular packages. 

These attacker packages are initially benign to ensure that they are accepted into official registries. Days or weeks later, the threat actor adds malicious functionality that they can leverage against developers who download their package instead of the legitimate version.

Phylum reported that such an attack targeted the Rust package registry earlier this month. Fortunately, the suspicious packages were detected early, but in some cases the attacker did manage to add code designed to send information about the compromised host to a Telegram channel. This is likely part of a callback mechanism used for communications.  

The Rust Foundation was notified and it quickly removed the packages and locked the uploader’s account. GitHub was also notified and took action against the associated account.

It’s unclear exactly what type of malicious functionality would have been added to the packages had they not been removed, but Phylum believes the attacker may have wanted to steal secrets or sensitive files from victims.

Advertisement. Scroll to continue reading.

After successfully testing its callback mechanism, the threat actor could have also attempted to publish many more packages in a short time frame in an effort to cast a wide net before the packages were removed by the registry.

“It’s hard to say with any degree of certainty whether or not this campaign would have evolved into something more nefarious. What we can say is that we’ve seen this play out many times before in many other ecosystems, and the outcome was always the same. Developers were compromised, credentials/secrets were stolen, data was exfiltrated, and in some cases, money was lost as a result,” Phylum said.

“With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target,” it added.

Related: Rust Gets a Dedicated Security Team

Related: Evasive Rust-Coded Hive Ransomware Variant Emerges

Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.