Articles tagged #security

crates.io phishing attempt

Sep 12, 2025
1 min #rust · #security

Earlier this week, an npm supply chain attack.

It’s turn for crates.io, the main public repository for Rust crates (packages).

The phishing e-mail looks like this:

A phishing e-mail: Important: Breach notification regarding crates.io Hi, BurntSushi! We recently discovered that an unauthorized actor had compromised the crates.io infrastructure and accessed a limited amount of user information. The attacker's access was revoked, and we are currently reviewing our security posture. We are currently drafting a blog post to outline the timeline and the steps we took to mitigate this. In the meantime, we strongly suggest you to rotate your login info by signing in here to our internal SSO, which is a temporary fix to ensure that the attacker cannot modify any packages published by you.
Andrew Gallant on BlueSky

And it leads to a GitHub login page that looks like this:

A fake GitHub sign-in page.
Barre on GitHub

Several maintainers received it — the issue is being discussed on GitHub.

The crates.io team has acknowledged the attack and said they’d see if they can do something about it.

Read more

Beware the Google Password Manager

Jul 02, 2020
11 min #security · #postmortem

Hey internet! So, someone broke into some of my accounts.

I’m taking entire responsibility for this - there’s the part where I fucked up, and if I didn’t fuck up, then none of this would’ve happened.

But there’s also the part where a series of design decisions from various vendors combined into the perfect storm for me.

And we’re going to talk about both! Separately! And calmly.
Read more

Go back to the homepage.

Discord GitHub Sponsors Patreon
Bluesky Mastodon YouTube
TikTok Instagram RSS
Butts
About Legal Notice Privacy Policy Terms and Conditions