Crates.io phishing #11889

Barre · 2025-09-12T13:10:23Z

Barre
Sep 12, 2025

In light of the recent NPM compromise, I wanted to warn others who might receive similar messages. Immediately after publishing a new version of https://crates.io/crates/zerofs, I received the following:

Hi, Barre!

We recently discovered that an unauthorized actor had compromised the crates.io infrastructure and accessed a limited amount of user information. The attacker's access was revoked, and we are currently reviewing our security posture.

We are currently drafting a blog post to outline the timeline and the steps we took to mitigate this. In the meantime, we strongly suggest you to rotate your login info by signing in [redacted] to our internal SSO, which is a temporary fix to ensure that the attacker cannot modify any packages published by you.

The page looks like:

It seems that the phishing website is a full proxy to Github:

Turbo87 · 2025-09-12T13:30:03Z

Turbo87
Sep 12, 2025
Collaborator

thanks for reporting this! we'll see if there is something we can do about it.

2 replies

Turbo87 Sep 12, 2025
Collaborator

status report:

we have sent a takedown request to the domain provider
we have sent an email to the GitHub security team
we have published https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ and amplified it on social media
we are monitoring API token creations for suspicious activity
the domain has been reported to https://safebrowsing.google.com/

Barre Sep 12, 2025
Author

Very cool, thanks!

carols10cents · 2025-09-12T14:44:26Z

carols10cents
Sep 12, 2025
Collaborator

If anyone realizes they have exposed their creds through this attack, please contact us at help@crates.io asap (and contact GitHub as well)! (no shame!!!)

0 replies

MichaelMcDonnell · 2025-09-12T16:16:23Z

MichaelMcDonnell
Sep 12, 2025

Has anyone reported this infrastructure attack to the Cybersecurity and Infrastructure Security Agency (CISA)?

1 reply

Turbo87 Sep 12, 2025
Collaborator

there has been no infrastructure attack. that is only what the phishing email claimed. the only attack that is real is the phishing attack itself.

rursprung · 2025-09-12T18:24:41Z

rursprung
Sep 12, 2025

FYI: out of interest i went to https://rustfoundation.dev/ and it now shows this instead:

crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)
security@rustfoundation.dev

0 replies

Crates.io phishing #11889

Uh oh!

Uh oh!

Barre Sep 12, 2025

Replies: 4 comments · 3 replies

Uh oh!

Turbo87 Sep 12, 2025 Collaborator

Uh oh!

Uh oh!

Turbo87 Sep 12, 2025 Collaborator

Uh oh!

Barre Sep 12, 2025 Author

Uh oh!

Uh oh!

carols10cents Sep 12, 2025 Collaborator

Uh oh!

MichaelMcDonnell Sep 12, 2025

Uh oh!

Turbo87 Sep 12, 2025 Collaborator

Uh oh!

rursprung Sep 12, 2025

Barre
Sep 12, 2025

Replies: 4 comments 3 replies

Turbo87
Sep 12, 2025
Collaborator

Turbo87 Sep 12, 2025
Collaborator

Barre Sep 12, 2025
Author

carols10cents
Sep 12, 2025
Collaborator

MichaelMcDonnell
Sep 12, 2025

Turbo87 Sep 12, 2025
Collaborator

rursprung
Sep 12, 2025