Crates.io phishing

[Barre]

In light of the recent NPM compromise, I wanted to warn others who might receive similar messages. Immediately after publishing a new version of https://crates.io/crates/zerofs, I received the following:

Hi, Barre!

We recently discovered that an unauthorized actor had compromised the crates.io infrastructure and accessed a limited amount of user information. The attacker's access was revoked, and we are currently reviewing our security posture.

We are currently drafting a blog post to outline the timeline and the steps we took to mitigate this. In the meantime, we strongly suggest you to rotate your login info by signing in [redacted] to our internal SSO, which is a temporary fix to ensure that the attacker cannot modify any packages published by you.

The page looks like:

It seems that the phishing website is a full proxy to Github:

[Turbo87]

thanks for reporting this! we'll see if there is something we can do about it.

[Turbo87]

status report:

• we have sent a takedown request to the domain provider
• we have sent an email to the GitHub security team
• we have published https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ and amplified it on social media
• we are monitoring API token creations for suspicious activity
• the domain has been reported to https://safebrowsing.google.com/

[Barre]

Very cool, thanks!

[carols10cents]

If anyone realizes they have exposed their creds through this attack, please contact us at [email protected] asap (and contact GitHub as well)! (no shame!!!)

[MichaelMcDonnell]

Has anyone reported this infrastructure attack to the Cybersecurity and Infrastructure Security Agency (CISA)?

[Turbo87]

there has been no infrastructure attack. that is only what the phishing email claimed. the only attack that is real is the phishing attack itself.

[MichaelMcDonnell]

I guess I have a different definition of infrastructure. The way I'm seeing it is that Rust is used in infrastructure code. The attacker tried to gain control to the distribution of the infrastructure code, thereby taking over control of the infrastructure?

If, not CISA, then I think FBI ought to be notified?

[Barre]

I guess I have a different definition of infrastructure. The way I'm seeing it is that Rust is used in infrastructure code. The attacker tried to gain control to the distribution of the infrastructure code, thereby taking over control of the infrastructure?

If, not CISA, then I think FBI ought to be notified?

Following the same logic, anytime there's a failed login attempt to any account on crates.io that has published a crate, a notification and report should be issued. That does not look useful / sustainable.

[rursprung]

FYI: out of interest i went to https://rustfoundation.dev/ and it now shows this instead:

crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)
[email protected]

[joshstoik1]

And now:

<html><head></head><body>SOLD! wow that was quick.<br>
whoever thinks this was "sophisticated" is clearly fearmongering. it took me less than 15mins to setup the whole thing, if we neglect 30mins for btc and xmr confirmation times.<br>
goodbye.
</body></html>

[Barre]

FYI: out of interest i went to https://rustfoundation.dev/ and it now shows this instead:

crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)

[email protected]

Even though there's probably not much merit to the claims, it'd be interesting to look into unusual token issuance activity since when that domain was registered.

Creation Date: 2025-09-12T07:13:16.998Z

[carols10cents]

Yes, we have been monitoring, and we're considering revocation of tokens created since that time out of an abundance of caution.

[dertin]

Hi everyone,

Last night I put together a small proof of concept to explore adding a cooldown window for newly published crates on crates.io to improve supply-chain security in Cargo https://crates.io/crates/cargo-cooldown

I'd love feedback on feasibility and possible integration paths. For now it queries the crates.io HTTP API because the registry index still doesn’t include publish timestamps, which are needed to enforce the cooldown age check. That is very inefficient.
Related issue: rust-lang/cargo#15973

Thanks!