Comment by athrowaway3z

2 months ago

> Day 1, 14:47 UTC — Among the exfiltrated credentials: the maintainer of vulpine-lz4, a Rust library for “blazingly fast Firefox-themed LZ4 decompression.” The library’s logo is a cartoon fox with sunglasses. It has 12 stars on GitHub but is a transitive dependency of cargo itself.

I got a bit curious and here is an incomplete list of crates to compromise to be part of the cargo build and that already have a build.rs so it doesn't stand out to much:

flate2 tar curl-sys libgit2-sys openssl-sys libsqlite3-sys blake3 libz-sys zstd-sys cc

As a nice bonus - if you get rights for xz2 you can compromise rustup.

Fwiw at least they do track Cargo.lock

15 comments

athrowaway3z

Reply
b40d-48b2-979e  2 months ago

-sys crates are just bindings and doing something else in them is highly suspect. The rest I recognize as being owned by a Rust maintainer like alexcrichton or rustlang itself.

  • nextaccountic  2 months ago

    > The rest I recognize as being owned by a Rust maintainer like alexcrichton

    The issue here isn't Alex Crichton going rogue, but rather, some malware stealing his credentials to use them to publish more malware in crates.io

    In this sense, the more well known and upstanding Rust developer, the higher the risk they will be targeted by such operations

    • b40d-48b2-979e  2 months ago

      With crates.io using GH as its IdP, I think there would be much farther reaching consequences to account pwning in that scenario. I agree, though, that the security model for crates.io is only as strong as the weakest link there, and would pray someone like Alex is using physical tokens or the like for his MFA and can't be conned by a well-crafted email.

  • duped  2 months ago

    sys crates are also mostly generated and lack a lot of eyeballs. Sneaking something into the build.rs of a sys crate would not be difficult and would land in the builds of everything downstream of it.