crates.io phishing attempt

Thanks to my sponsors: Raphaël Thériault, Peter Shih, Geoffrey Thomas, Stephan Buys, Astrid, Berkus Decker, Sam Leonard, Lyssieth, Jonathan Adams, Hadrien G., Marty Penner, Marcus Griep, Ben Mitchell, Daniel Strittmatter, David White, anichno, xales, Alex Krantz, Menno Finlay-Smits, Jimmy Hartzell and 253 more Raphaël Thériault, Peter Shih, Geoffrey Thomas, Stephan Buys, Astrid, Berkus Decker, Sam Leonard, Lyssieth, Jonathan Adams, Hadrien G., Marty Penner, Marcus Griep, Ben Mitchell, Daniel Strittmatter, David White, anichno, xales, Alex Krantz, Menno Finlay-Smits, Jimmy Hartzell, Diego Roig, Gioele Pannetto, Dominik Wagner, Morgan Rosenkranz, Zalán Bálint Lévai, David Smith, Jan-Stefan Janetzky, Philipp Hatt, Zac Harrold, Kamran Khan, Tanner Muro, jalciné, Ripta Pasay, Mathias Brossard, Matt Jadczak, Aleksandre Khokhiashvili, Adam Gutglick, Ives van Hoorne, Carson Page, Integer 32, LLC, Alan O'Donnell, callym, Olly Swanson, René Ribaud, Yves, Matt Campbell, Thehbadger, Urs Metz, kuerbsikakteen, genny, Blake Johnson, Simon Menke, Raine Godmaire, belzael, David Cornu, Luis, Toon Willems, Alex Rudy, Marc-Andre Giroux, Dylan Anthony, Paul Marques Mota, Lawrence Bethlenfalvy, std__mpa, Mario Fleischhacker, Aiden Scandella, Zachary Myers, Zachary Thomas, Makoto Nakashima, Michał Zalewski, Colin VanDervoort, playest, Jack Duvall, Reto Trappitsch, FELIX, Michal Hošna, Marcus Griep, Matt Jackson, Antoine PESTEL-ROPARS, Samit Basu, Jean-David Gadina, me, Olivier Peyrusse, clement, budrick, rektide, Anson VanDoren, Borys Minaiev, Mathew Haji, compwhizii, Em Sharnoff, WeblWabl, Mark Tomlin, Sawyer Knoblich, Björn Marschollek, Chris Walker, Max Heaton, Daniel Wagner-Hall, Chris Emery, Walther, Luke Yue, Brooke Tilley, Neil Blakey-Milner, Andrew Henshaw, Philipp Angerer, AdrianEddy, Nicolas Riebesel, Olivia Crain, Twan Walpot, Zaki, Dragoon, Pete Bevin, Marco Carmosino, Kai Kaufman, knutwalker, Guillaume E, Marie Janssen, Tyler Bloom, Brandon Piña, Tomas Sedovic, Ronen Ulanovsky, Jörn Huxhorn, Horváth-Lázár Péter, Zoran Zaric, Taneli Kaivola, Manuel Hutter, Antoine Rouaze, Ian McLinden, Jake Demarest-Mays, Luuk, Vincent Mutolo, Justin Smith, Cole Kurkowski, Nicholas, Radu Matei, Julian Schmid, Geoffroy Couprie, Scott Sanderson, Romet Tagobert, Anna M, Josh Triplett, Boris Dolgov, Jelle Besseling, Ross Williams, qrpth, Luke Konopka, Romain Kelifa, Mason Ginter, Yann Schwartz, Chris Biscardi, Kyle Lacy, Elendol, Bob Ippolito, avborhanian, Gorazd Brumen, Mattia Valzelli, Tabitha, Henrik Tudborg, Sean Bryant, Christian Bourjau, Enrico Zschemisch, Vinay Mehta, Dirkjan Ochtman, hgranthorner, Johnathan Pagnutti, Isak Sunde Singh, Nicolas Coulange, Tiziano Santoro, milan, dataphract, Richard Pringle, Benjamin Röjder Delnavaz, Matt Heise, Max Bruckner, notryanb, Dom, ZacJW, Lucille Blumire, Lena Schönburg, Vladimir, Ben Wishovich, zed, The0x539, Antoine Boegli, Malik Bougacha, Christopher Valerio, Marcin Kołodziej, Chris, Chris Thackrey, Pete LeVasseur, Hamilton Chapman, Jesse Luehrs, Senyo Simpson, eliferrous, pinkhatbeard, villem, Michał Bartoszkiewicz, old.woman.josiah, Mateusz Wykurz, Egor Ternovoi, Torben Clasen, Andy Gocke, Paige Ruten, Eugene Bulkin, Matthias Zepper, prairiewolf, Arjen Laarhoven, Daniel Silverstone, Mike English, jatescher, Justin Ossevoort, Mark, Guy Waldman, Guilherme Neubaner, Yufan Lou, Sung Jeon, Brian L. Troutwine, Jim, Joshua Roesslein, Dave Minter, Justy, Angelo, Beat Scherrer, Niels Abildgaard, SeniorMars, Santiago Lema, ShikChen, C J Silverio, ofrighil, Matej Volf, Michael, you got maiL, James Rhodes, Ryan, James Leitch, Miguel Raz Guzmán Macedo, traxys, 0lach, Zeeger Lubsen, L0r3m1p5um, Ronen Cohen, Andy F, Max von Forell, Julien Roncaglia, Mikkel Rasmussen, psentee, Xavier Groleau, Timothée Gerber, Richard Stephens, Braidon Whatley, Yuriy Taraday, Christoph Grabo, David Barsky, John VanEnk, Wyatt Herkamp, James Brown, Geoff Cant, Corey Alexander, Nyefan, Alexandra Østermark, Steven Pham, Valentin Mariette, Kevin Murphy, Tobias Bahls, Mark Old, Romain Ruetschi, Elnath, Adam Lassek, Xirvik Servers, Victor Song, Dimitri Merejkowsky, Tom Forbes, Laine Taffin Altman, Chris Sims

Earlier this week, an npm supply chain attack.

It’s turn for crates.io, the main public repository for Rust crates (packages).

The phishing e-mail looks like this:

And it leads to a GitHub login page that looks like this:

Several maintainers received it — the issue is being discussed on GitHub.

The crates.io team has acknowledged the attack and said they’d see if they can do something about it.

No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).

Important links:

• Rust Security Response WG blog post.
• GitHub discussion about the attack

Did you know I also make videos? Check them out on PeerTube and also YouTube!

Here's another article just for you:

The case for sans-io

Feb 07, 2025

26 min #zip · #rust · #async

The most popular option to decompress ZIP files from the Rust programming language is a crate simply named zip — At the time of this writing, it has 48 million downloads. It’s fully-featured, supporting various compression methods, encryption, and even supports writing zip files.

However, that’s not the crate everyone uses to read ZIP files. Some applications benefit from using asynchronous I/O, especially if they decompress archives that they download from the network.

Read more