Skip to content

Commit 65a60b6

Browse files
LawnGnomeLawnGnome
committed
Add the advisories.
1 parent b47f376 commit 65a60b6

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

content/crates.io-malicious-crate-update.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ Crates that contain malware _and_ are seeing real usage or exploitation will sti
1818

1919
Since we are announcing this policy change now, here is a retrospective summary of the malicious crates removed since [our last blog post][last-post] and today:
2020

21-
- `finch_cli_rust`, `finch-rst`, and `sha-rst`: the Rust security response working group was notified on December 9th, 2025 by Matthias Zepper of [National Genomics Infrastructure Sweden][ngi-sweden] that these crates were attempting to exfiltrate credentials by impersonating the `finch` and `finch_cli` crates. Advisories: [RUSTSEC-2025-XXXX][advisory-finch].
21+
- `finch_cli_rust`, `finch-rst`, and `sha-rst`: the Rust security response working group was notified on December 9th, 2025 by Matthias Zepper of [National Genomics Infrastructure Sweden][ngi-sweden] that these crates were attempting to exfiltrate credentials by impersonating the `finch` and `finch_cli` crates. Advisories: [RUSTSEC-2025-0150][advisory-finch-rst], [RUSTSEC-2025-0151][advisory-sha-rst], [RUSTSEC-2025-0152][advisory-finch-cli-rust].
2222
- `polymarket-clients-sdk`: we were notified on February 6th by [Socket][socket] that this crate was attempting to exfiltrate credentials by impersonating the `polymarket-client-sdk` crate. Advisory: [RUSTSEC-2026-0010][advisory-polymarket].
2323

2424
In all cases, the crates were deleted, the user accounts that published them were immediately disabled, and reports were made to upstream providers as appropriate.
@@ -27,6 +27,9 @@ In all cases, the crates were deleted, the user accounts that published them wer
2727

2828
Once again, our thanks go to Matthias and Socket for their reports. We also want to thank Dirkjan Ochtman from the secure code working group, Emily Albini from the security response working group, and Walter Pearce from the [Rust Foundation][foundation] for aiding in the response.
2929

30+
[advisory-finch-cli-rust]: https://rustsec.org/advisories/RUSTSEC-2025-0152.html
31+
[advisory-finch-rst]: https://rustsec.org/advisories/RUSTSEC-2025-0150.html
32+
[advisory-sha-rst]: https://rustsec.org/advisories/RUSTSEC-2025-0151.html
3033
[advisory-polymarket]: https://rustsec.org/advisories/RUSTSEC-2026-0010.html
3134
[foundation]: https://foundation.rust-lang.org/
3235
[last-post]: https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/

0 commit comments

Comments
 (0)