crates.io phishing attempt
Thanks to my sponsors: Marc-Andre Giroux, L0r3m1p5um, Carson Page, villem, Makoto Nakashima, Paul Horn, Chris Thackrey, Tiziano Santoro, Romain Kelifa, Pete Bevin, Matt Jadczak, Wojciech Smołka, Garret Kelly, Aleksandre Khokhiashvili, xales, Yann Schwartz, Gioele Pannetto, Olivia Crain, Sam Leonard, Toon Willems and 278 more
Earlier this week, an npm supply chain attack.
It’s turn for crates.io, the main public repository for Rust crates (packages).
The phishing e-mail looks like this:
And it leads to a GitHub login page that looks like this:
Several maintainers received it — the issue is being discussed on GitHub.
The crates.io team has acknowledged the attack and said they’d see if they can do something about it.
No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).
Important links:
Here's another article just for you:
Futures Nostalgia
Up until recently, hyper was my favorite Rust HTTP framework. It’s low-level, but that gives you a lot of control over what happens.
Here’s what a sample hyper application would look like:
$ cargo new nostalgia
Created binary (application) `nostalgia` package
$ cd nostalgia
$ cargo add hyper@0.14 --features "http1 tcp server"
Updating 'https://github.com/rust-lang/crates.io-index' index
Adding hyper v0.14 to dependencies with features: ["http1", "tcp", "server"]
$ cargo add tokio@1 --features "full"
Updating 'https://github.com/rust-lang/crates.io-index' index
Adding tokio v1 to dependencies with features: ["full"]