crates.io phishing attempt Date: September 12, 2025 Tags: #rust, #security Reading time: 1 min --- Overview Following an earlier npm supply chain attack, the Rust ecosystem's main package repository, crates.io, became the target of a phishing campaign. The attack aims to deceive crate maintainers by impersonating official communications. --- Details of the Phishing Attempt A phishing email was sent to several Rust crate maintainers. The email falsely claimed there was a security breach on crates.io. It warned of unauthorized access to user information and urged users to "rotate your login info" by signing into a fake internal SSO. The email included a link leading to a counterfeit GitHub login page designed to steal credentials. Phishing Email Sample The email wording indicated: "We recently discovered that an unauthorized actor had compromised the crates.io infrastructure and accessed a limited amount of user information. The attacker's access was revoked, and we are currently reviewing our security posture..." Users were directed to sign in via a URL mimicking an internal Single Sign-On portal. Fake GitHub Login Page The phishing link redirected maintainers to a well-crafted fake GitHub sign-in page. The fake page closely resembled the real GitHub login interface. --- Response and Current Status The issue has been openly discussed in a GitHub discussion thread. The official crates.io team acknowledged the phishing campaign. As of September 12, 14:10 UTC, no crates or packages have been confirmed as compromised. The Rust Security Response Working Group published an official blog post about the incident. --- Key Links Rust Security Response WG blog post on the phishing campaign GitHub discussion about the attack --- Summary Crates.io maintainers should be vigilant against phishing emails masquerading as breach notifications. Never enter credentials on pages reached through unsolicited email links. Follow official Rust and crates.io communication channels for updates. No evidence yet of package compromise, but ongoing review is underway. --- This alert highlights the growing trend of supply chain attacks and phishing attempts targeting software package maintainers, underscoring the importance of security awareness in open source ecosystems.