crates.io phishing attempt

Thanks to my sponsors: Scott Sanderson, Max Heaton, ShikChen, budrick, Jimmy Hartzell, Mario Fleischhacker, Mason Ginter, Mateusz Wykurz, Max Bruckner, old.woman.josiah, Chris, Lena Schönburg, Sean Bryant, prairiewolf, Alan O'Donnell, you got maiL, James Leitch, Mathias Brossard, Radu Matei, Julien Roncaglia and 246 more Scott Sanderson, Max Heaton, ShikChen, budrick, Jimmy Hartzell, Mario Fleischhacker, Mason Ginter, Mateusz Wykurz, Max Bruckner, old.woman.josiah, Chris, Lena Schönburg, Sean Bryant, prairiewolf, Alan O'Donnell, you got maiL, James Leitch, Mathias Brossard, Radu Matei, Julien Roncaglia, Tomáš Šedovič, Daniel Silverstone, Guillaume E, Xirvik Servers, Marcus Griep, Em Sharnoff, Gorazd Brumen, knutwalker, Twan Walpot, Vinay Mehta, John VanEnk, Braidon Whatley, Andy Gocke, villem, traxys, eliferrous, Jörn Huxhorn, Torben Clasen, belzael, Lyssieth, Samit Basu, Tobias Bahls, Chris Emery, The0x539, Geoffrey Thomas, Tiziano Santoro, Dragoon, jalciné, Niels Abildgaard, Diego Roig, Laine Taffin Altman, Tabitha, Daniel Strittmatter, dataphract, Joshua Roesslein, Lucille Blumire, Ripta Pasay, Antoine Rouaze, SeniorMars, Raine Godmaire, Luis, Alexandra Østermark, clement, Horváth-Lázár Péter, Enrico Zschemisch, playest, Zac Harrold, Zeeger Lubsen, David White, Makoto Nakashima, Corey Alexander, Geoffroy Couprie, kuerbsikakteen, Ross Williams, Xavier Groleau, Marc-Andre Giroux, David Cornu, me, avborhanian, Boris Dolgov, Steven Pham, Zalán Bálint Lévai, Dominik Wagner, Zaki, Julian Schmid, Nicolas Coulange, Henrik Tudborg, FELIX, Olivia Crain, Nyefan, Justy, Yufan Lou, rektide, Matej Volf, Andrew Henshaw, Isak Sunde Singh, Taneli Kaivola, Pete LeVasseur, Ives van Hoorne, zed, Dirkjan Ochtman, AdrianEddy, Marco Carmosino, Jelle Besseling, Vladimir, Philipp Angerer, Gioele Pannetto, Adam Lassek, Ryan, Matt Jadczak, Mathew Haji, Menno Finlay-Smits, Nicolas Riebesel, Colin VanDervoort, Kevin Murphy, zoey, Jim, Walther, Paige Ruten, jatescher, Malik Bougacha, Chris Walker, Wyatt Herkamp, James Brown, Brooke, Matt Campbell, Dom, Kai Kaufman, C J Silverio, Anson VanDoren, Egor Ternovoi, Stephan Buys, Urs Metz, Carson Page, Angelo, Simon Menke, Kamran Khan, L0r3m1p5um, Aleksandre Khokhiashvili, Philipp Hatt, frankwang, Brandon Piña, Ben Wishovich, Luke Konopka, Christian Bourjau, Tyler Bloom, Ronen Cohen, xd009642, Valentin Mariette, Jesse Luehrs, Aiden Scandella, Daniel Wagner-Hall, Hamilton Chapman, notryanb, Jean-David Gadina, Jan-Stefan Janetzky, Christopher Valerio, pinkhatbeard, Astrid, Raphaël Thériault, Yuriy Taraday, Tom Forbes, Dylan Anthony, Michael, Michał Zalewski, milan, Blake Johnson, Mark Tomlin, Mike English, René Ribaud, Marcin Kołodziej, Hazel Duvall, Max von Forell, Mikkel Rasmussen, Integer 32, LLC, Kyle Lacy, Michał Bartoszkiewicz, xales, Björn Marschollek, psentee, Chris Thackrey, Marty Penner, Yann Schwartz, Victor Song, Vincent Mutolo, David Barsky, Benjamin Röjder Delnavaz, Thehbadger, Johnathan Pagnutti, Guy Waldman, Timothée Gerber, Ben Mitchell, Richard Pringle, Borys Minaiev, Dimitri Merejkowsky, callym, Lach, Manuel Hutter, Olivier Peyrusse, Geoff Cant, Antoine PESTEL-ROPARS, Olly Swanson, Alex Rudy, Christoph Grabo, Sam Leonard, Miguel Raz Guzmán Macedo, Adam Gutglick, Luke Yue, Guilherme Neubaner, Jeff Crocker, std__mpa, Mark Old, Justin Ossevoort, Chris Sims, David Smith, qrpth, genny, hgranthorner, Michal Hošna, Ronen Ulanovsky, Andy F, compwhizii, Matt Jackson, Hadrien G., Neil Blakey-Milner, Senyo Simpson, Richard Stephens, Eugene Bulkin, Anna M, Ian McLinden, ZacJW, Peter Shih, Matt Heise, Mark, Toon Willems, Zoran Zaric, Matthias Zepper, Justin Smith, Sung Jeon, Jake Demarest-Mays, WeblWabl, Reto Trappitsch, Bob Ippolito, Sawyer Knoblich, Zachary Thomas, Beat Scherrer, Marcus Griep, Dave Minter, Brian L. Troutwine, Romain Ruetschi, Josh Triplett, Romet Tagobert, Santiago Lema, anichno, ofrighil, Yves, Tanner Muro, James Rhodes, Mattia Valzelli, Elnath, Lawrence Bethlenfalvy, Antoine Boegli, Marie Janssen, Jonathan Adams, Romain Kelifa, Pete Bevin

Earlier this week, an npm supply chain attack.

It’s turn for crates.io, the main public repository for Rust crates (packages).

The phishing e-mail looks like this:

And it leads to a GitHub login page that looks like this:

Several maintainers received it — the issue is being discussed on GitHub.

The crates.io team has acknowledged the attack and said they’d see if they can do something about it.

No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).

Important links:

• Rust Security Response WG blog post.
• GitHub discussion about the attack

Did you know I also make videos? Check them out on PeerTube and also YouTube!

Here's another article just for you:

My ideal Rust workflow

Oct 26, 2021

57 min #rust · #release-engineering

Writing Rust is pretty neat. But you know what’s even neater? Continuously testing Rust, releasing Rust, and eventually, shipping Rust to production. And for that, we want more than plug-in for a code editor.

We want… a workflow.

Why I specifically care about this

Cool Bear's hot tip

This gets pretty long, so if all you want is the advice, feel free to jump to it directly.

Read more