crates.io Postmortem: User Uploaded Malware

Sept. 1, 2023 · Adam Harvey on behalf of the crates.io team

Summary

On August 16, the crates.io team was notified by Louis Lang at Phylum of a new user who had uploaded nine crates that typosquatted1 popular crates with ill intent. The crates were immediately yanked and the user account locked, and the crates were then fully removed from the crates.io file store on August 18.

Phylum have also written their own blog on this incident.

Contents

These crates contained malicious build.rs files that would attempt to send metadata from the user's computer to a Telegram2 channel, including their operating system, IP address, and geolocation information based on their IP address.3

One version of one crate also contained a copy of the PuTTY4 installer, with the build.rs spawning PuTTY instead of sending metadata to Telegram. Our assumption is that this was an earlier stage of experimenting with what was possible from a build.rs file.

Actions taken

The crates were yanked and the associated user account was locked immediately after the crates.io team received the report. This would not have prevented someone from downloading the crate files directly from static.crates.io, but removed the crates from the crate index and made them uninstallable through normal cargo usage.

After analysing the crates in question and the logs related to all actions taken by this user — from signing up, searching for crates to typosquat, and finally to publishing the crates — we decided to delete the crates entirely from static.crates.io to prevent any further possibility of attack.5 The deletion was performed at 17:22 UTC on August 18, 2023.

Analysis

In this case, the crates were solely and very obviously crafted for malicious purposes.

We have no evidence that any of these crates were downloaded by an actual user — analysis of the user agents associated with the download requests for these crates in our logs suggest that the only downloads were automated scanner and mirroring actions.

The user associated with these crates took no other actions — malicious or otherwise — in the 30 days6 prior to August 18.

Future actions

The Rust Foundation's Security Initiative is planning future work on scanning all crate uploads, both in terms of typosquatting and the actual contents of the crate files. The prototypes of both projects would have detected these crate files, and the crates.io team intends to work with the Foundation to implement these scanners once ready.

Thanks

Our thanks to Louis Lang at Phylum for reporting the crates, Josh Stone for facilitating the report, and Walter Pearce at the Rust Foundation for assisting with the analysis.

  1. Typosquatting is a technique used by bad actors to initiate dependency confusion attacks where a legitimate user might be tricked into using a malicious dependency instead of their intended dependency — for example, a bad actor might try to publish a crate at proc-macro to catch users of the legitimate proc-macro2 crate.

  2. Telegram is a popular instant messaging app.

  3. One wonders why they couldn't do this after sending the IP address to their Telegram channel, but federated workloads are apparently all the rage in 2023.

  4. PuTTY is a popular SSH client for Windows.

  5. The crates were preserved for future analysis should there be other attacks, and to inform scanning efforts in the future.

  6. One year of logs are retained on crates.io, but only 30 days are immediately available on our log platform. We chose not to go further back in our analysis, since IP address based analysis is limited by the use of dynamic IP addresses in the wild, and the relevant IP address being part of an allocation to a residential ISP.