crates.io Postmortem: User Uploaded Malware

Sept. 1, 2023 · Adam Harvey on behalf of the crates.io team

Summary

On August 16, the crates.io team was notified by Louis Lang at Phylum of a new user who had uploaded nine crates that typosquatted1 popular crates with ill intent. The crates were immediately yanked and the user account locked, and the crates were then fully removed from the crates.io file store on August 18.

Phylum have also written their own blog on this incident.

Contents

These crates contained malicious build.rs files that would attempt to send metadata from the user's computer to a Telegram2 channel, including their operating system, IP address, and geolocation information based on their IP address.3

One version of one crate also contained a copy of the PuTTY4 installer, with the build.rs spawning PuTTY instead of sending metadata to Telegram. Our assumption is that this was an earlier stage of experimenting with what was possible from a build.rs file.

Actions taken

The crates were yanked and the associated user account was locked immediately after the crates.io team received the report. This would not have prevented someone from downloading the crate files directly from static.crates.io, but removed the crates from the crate index and made them uninstallable through normal cargo usage.

After analysing the crates in question and the logs related to all actions taken by this user — from signing up, searching for crates to typosquat, and finally to publishing the crates — we decided to delete the crates entirely from static.crates.io to prevent any further possibility of attack.5 The deletion was performed at 17:22 UTC on August 18, 2023.

Analysis

In this case, the crates were solely and very obviously crafted for malicious purposes.

We have no evidence that any of these crates were downloaded by an actual user — analysis of the user agents associated with the download requests for these crates in our logs suggest that the only downloads were automated scanner and mirroring actions.

The user associated with these crates took no other actions — malicious or otherwise — in the 30 days6 prior to August 18.

Future actions

The Rust Foundation's Security Initiative is planning future work on scanning all crate uploads, both in terms of typosquatting and the actual contents of the crate files. The prototypes of both projects would have detected these crate files, and the crates.io team intends to work with the Foundation to implement these scanners once ready.

Thanks

Our thanks to Louis Lang at Phylum for reporting the crates, Josh Stone for facilitating the report, and Walter Pearce at the Rust Foundation for assisting with the analysis.