crates.io phishing attempt
Thanks to my sponsors: Michal Hošna, anichno, Yves, Matt Jadczak, Sawyer Knoblich, Olly Swanson, Xavier Groleau, Marco Carmosino, Nyefan, Felix Weis, Sam Leonard, Ronen Ulanovsky, Ripta Pasay, Ross Williams, Twan Walpot, Bob Ippolito, Sean Bryant, Jesse Luehrs, Johnathan Pagnutti, Mathias Brossard and 262 more
Earlier this week, an npm supply chain attack.
It’s turn for crates.io, the main public repository for Rust crates (packages).
The phishing e-mail looks like this:
And it leads to a GitHub login page that looks like this:
Several maintainers received it — the issue is being discussed on GitHub.
The crates.io team has acknowledged the attack and said they’d see if they can do something about it.
No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).
Important links:
Did you know I also make videos? Check them out on PeerTube and also YouTube!
Here's another article just for you:
A dynamic linker murder mystery
I write a ton of articles about rust. And in those articles, the main focus is about writing Rust code that compiles. Once it compiles, well, we’re basically in the clear! Especially if it compiles to a single executable, that’s made up entirely of Rust code.
That works great for short tutorials, or one-off explorations.
Unfortunately, “in the real world”, our code often has to share the stage with other code. And Rust is great at that. Compiling Go code to a static library, for example, is relatively finnicky. It insists on being built with GCC (and no other compiler), and linked with GNU ld (and no other linker).