Summary
On December 5th, the crates.io team was notified by Kush Pandya from the Socket Threat Research Team of two malicious crates which were trying to cause confusion with the existing finch crate but adding a dependency on a malicious crate doing data exfiltration.
These crates were:
finch-rust- 1 version published November 25, 2025, downloaded 28 times, usedsha-rustas a dependencysha-rust- 8 versions published between November 20 and November 25, 2025, downloaded 153 times
Actions taken
The user in question, face-lessssss, was immediately disabled, and the crates in question were deleted from crates.io shortly after. We have retained the malicious crate files for further analysis.
The deletions were performed at 15:52 UTC on December 5th.
We reported the associated repositories to GitHub and the account has been removed there as well.
Analysis
Socket has published their analysis in a blog post.
These crates had no dependent downstream crates on crates.io, and there is no evidence of either of these crates being downloaded outside of automated mirroring and scanning services.
Thanks
Our thanks to Kush Pandya from the Socket Threat Research Team for reporting the crates. We also want to thank Carol Nichols from the crates.io team and Adam Harvey from the Rust Foundation for aiding in the response.