crates.io phishing attempt

Sep 12, 2025 1 min #rust · #security

Thanks to my sponsors: Integer 32, LLC, WeblWabl, Raphaël Thériault, Simon Menke, Jean-David Gadina, Guilherme Neubaner, Geoffroy Couprie, Egor Ternovoi, SeniorMars, Tabitha, Jan-Stefan Janetzky, Zac Harrold, Alexandra Østermark, dataphract, Nyefan, Ives van Hoorne, David White, Stephan Buys, playest, Ian McLinden and 246 more

Earlier this week, an npm supply chain attack.

It’s turn for crates.io, the main public repository for Rust crates (packages).

The phishing e-mail looks like this:

A phishing e-mail: Important: Breach notification regarding crates.io Hi, BurntSushi! We recently discovered that an unauthorized actor had compromised the crates.io infrastructure and accessed a limited amount of user information. The attacker's access was revoked, and we are currently reviewing our security posture. We are currently drafting a blog post to outline the timeline and the steps we took to mitigate this. In the meantime, we strongly suggest you to rotate your login info by signing in here to our internal SSO, which is a temporary fix to ensure that the attacker cannot modify any packages published by you. — Andrew Gallant on BlueSky

And it leads to a GitHub login page that looks like this:

A fake GitHub sign-in page. — Barre on GitHub

Several maintainers received it — the issue is being discussed on GitHub.

The crates.io team has acknowledged the attack and said they’d see if they can do something about it.

No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).

Important links:

(JavaScript is required to see this. Or maybe my stuff broke)

Did you know I also make videos? Check them out on PeerTube and also YouTube!

Here's another article just for you:

Frustrated? It's not you, it's Rust

Aug 14, 2020

38 min #rust · #traits · #sized · #lifetimes

Learning Rust is… an experience. An emotional journey. I’ve rarely been more frustrated than in my first few months of trying to learn Rust.

What makes it worse is that it doesn’t matter how much prior experience you have, in Java, C#, C or C++ or otherwise - it’ll still be unnerving.

In fact, more experience probably makes it worse! The habits have settled in deeper, and there’s a certain expectation that, by now, you should be able to get that done in a shorter amount of time.