From 8aa97f189e9824445eafcb9eb58e25381d58570e Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Fri, 5 Dec 2025 12:59:09 -0500 Subject: [PATCH 1/2] Announce 2 more malicious crates --- ...alicious-crates-finch-rust-and-sha-rust.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 content/crates.io-malicious-crates-finch-rust-and-sha-rust.md diff --git a/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md b/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md new file mode 100644 index 000000000..50e24e9a7 --- /dev/null +++ b/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md @@ -0,0 +1,38 @@ ++++ +path = "2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust" +title = "crates.io: Malicious crates finch-rust and sha-rust" +authors = ["Carol Nichols and Adam Harvey"] + +[extra] +team = "the crates.io team" +team_url = "https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io" ++++ + +## Summary + +On December 5th, the crates.io team was notified by Kush Pandya from the [Socket Threat Research Team][socket] of two malicious crates which were trying to cause confusion with the existing `finch` crate but adding a dependency on a malicious crate doing data exfiltration. + +These crates were: +- `finch-rust` - 1 version published November 25, 2025, downloaded 28 times, used `sha-rust` as a dependency +- `sha-rust` - 8 versions published between November 20 and November 25, 2025, downloaded 153 times + +## Actions taken + +The user in question, `face-lessssss`, was immediately disabled, and the crates in question were deleted from crates.io shortly after. We have retained the malicious crate files for further analysis. + +The deletions were performed at 15:52 UTC on December 5th. + +We reported the associated repositories to GitHub and the account has been removed there as well. + +## Analysis + +[Socket has published their analysis in a blog post](https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials). + +These crates had no dependent downstream crates on crates.io, and there is no evidence of either of these crates being downloaded outside of automated mirroring and scanning services. + +## Thanks + +Our thanks to Kush Pandya from the [Socket Threat Research Team][socket] for reporting the crates. We also want to thank Carol Nichols from the crates.io team and Adam Harvey from the [Rust Foundation](foundation) for aiding in the response. + +[foundation]: https://foundation.rust-lang.org/ +[socket]: https://www.socket.dev/ From c9025f10b0496c23e902af7cec45221ccbce3949 Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" <193874+carols10cents@users.noreply.github.com> Date: Fri, 5 Dec 2025 13:07:59 -0500 Subject: [PATCH 2/2] Fix markdown link Co-authored-by: Jake Goulding --- content/crates.io-malicious-crates-finch-rust-and-sha-rust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md b/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md index 50e24e9a7..e76d56ef3 100644 --- a/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md +++ b/content/crates.io-malicious-crates-finch-rust-and-sha-rust.md @@ -32,7 +32,7 @@ These crates had no dependent downstream crates on crates.io, and there is no ev ## Thanks -Our thanks to Kush Pandya from the [Socket Threat Research Team][socket] for reporting the crates. We also want to thank Carol Nichols from the crates.io team and Adam Harvey from the [Rust Foundation](foundation) for aiding in the response. +Our thanks to Kush Pandya from the [Socket Threat Research Team][socket] for reporting the crates. We also want to thank Carol Nichols from the crates.io team and Adam Harvey from the [Rust Foundation][foundation] for aiding in the response. [foundation]: https://foundation.rust-lang.org/ [socket]: https://www.socket.dev/