add crates.io phishing post

pietroalbini · pietroalbini · commit 0236f550d5cb · 2025-09-12T16:07:29.000+02:00
diff --git a/content/2025-09-crates-io-phishing-campaign.md b/content/2025-09-crates-io-phishing-campaign.md
@@ -0,0 +1,22 @@
++++
+path = "2025/09/12/crates-io-phishing-campaign"
+title = "crates.io phishing campaign"
+authors = ["Rust Security Response WG", "crates.io team"]
+aliases = []
++++
+
+We received multiple reports of a phishing campaign targeting crates.io users
+(from the `rustfoundation.dev` domain name), mentioning a compromise of our
+infrastructure and asking users to authenticate to limit damage to their crates.
+
+These emails are malicious and come from a domain name not controlled by  the
+Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing
+your GitHub credentials. We have no evidence of a compromise of the crates.io
+infrastructure.
+
+We are taking steps to get the domain name taken down and to monitor for
+suspicious activity on crates.io. Do not follow any links in these emails if you
+receive them, and mark them as phishing with your email provider.
+
+If you have any further questions please reach out to security@rust-lang.org and
+help@crates.io.
