Thanks to my sponsors: dataphract, jatescher, Mateusz Wykurz, Alex Krantz, Timothée Gerber, Daniel Silverstone, Andrew Henshaw, zed, Hadrien G., prairiewolf, Sylvie Nightshade, Adam Gutglick, James Leitch, Andy F, Kai Kaufman, Manuel Hutter, Mark Tomlin, Gorazd Brumen, Tabitha, Valentin Mariette and 263 more dataphract, jatescher, Mateusz Wykurz, Alex Krantz, Timothée Gerber, Daniel Silverstone, Andrew Henshaw, zed, Hadrien G., prairiewolf, Sylvie Nightshade, Adam Gutglick, James Leitch, Andy F, Kai Kaufman, Manuel Hutter, Mark Tomlin, Gorazd Brumen, Tabitha, Valentin Mariette, Michal Hošna, Antoine Rouaze, Zac Harrold, Mikkel Rasmussen, ShikChen, Jesse Luehrs, Yufan Lou, Toon Willems, Urs Metz, Tyler Bloom, Berkus Decker, Jack Duvall, Blake Johnson, Luke Konopka, Zeeger Lubsen, Laine Taffin Altman, C J Silverio, compwhizii, Sawyer Knoblich, Chris Biscardi, Xirvik Servers, Dominik Wagner, The0x539, Ben Mitchell, Matthew T, Romain Kelifa, anichno, Reto Trappitsch, Mark, Dirkjan Ochtman, Borys Minaiev, Michael Alyn Miller, Zoran Zaric, Walther, Vladimir, Yann Schwartz, Gioele Pannetto, Jim, Corey Alexander, me, Justin Ossevoort, Mathias Brossard, Romet Tagobert, Chris Sims, Twan Walpot, Ripta Pasay, milan, Marie Janssen, Horváth-Lázár Péter, Luke Yue, René Ribaud, eliferrous, genny, Simon Menke, Santiago Lema, Ross Williams, Senyo Simpson, Brooke Tilley, Braidon Whatley, Em Sharnoff, Makoto Nakashima, Noel, Angelo, Max Heaton, Johnathan Pagnutti, Justy, Zachary Thomas, Guillaume E, Eugene Bulkin, Ivo Murrell, budrick, James Rhodes, Nicholas, Björn Marschollek, Jake Demarest-Mays, Antoine PESTEL-ROPARS, John VanEnk, xales, Hamilton Chapman, Austin Traver, Paige Ruten, Jean-David Gadina, Scott Sanderson, Sung Jeon, SeniorMars, Ronen Cohen, Geoffrey Thomas, psentee, Geoffroy Couprie, Diego Roig, Dragoon, Stephan Buys, Miguel Raz Guzmán Macedo, old.woman.josiah, Olly Swanson, qrpth, Yves, Tom Forbes, Neil Blakey-Milner, Nyefan, Ian McLinden, Guy Waldman, Ronen Ulanovsky, Mike English, Dave Minter, Justin Smith, Astrid, Aleksandre Khokhiashvili, Mathew Haji, Benjamin Röjder Delnavaz, jalciné, Isak Sunde Singh, Tobias Bahls, hgranthorner, Cole Kurkowski, Tomas Sedovic, Egor Ternovoi, Lena Schönburg, Radu Matei, you got maiL, James Brown, Michał Zalewski, Philipp Angerer, Menno Finlay-Smits, Matthias Zepper, Peter Shih, Olivia Crain, Max von Forell, Niels Abildgaard, Kamran Khan, David Cornu, Daniel Strittmatter, Brandon Piña, Daniel Wagner-Hall, Thehbadger, Geoff Cant, Elendol, Matt Jackson, Matěj Volf, Kyle Lacy, Zaki, Jörn Huxhorn, Raine Godmaire, Raphaël Thériault, Chris, traxys, Julien Roncaglia, David Smith, Alex Rudy, Jonathan Adams, DaVince, Richard Pringle, Jan-Stefan Janetzky, Wyatt Herkamp, Samit Basu, Mason Ginter, ZacJW, messense, Christian Bourjau, Aiden Scandella, clement, Paul Marques Mota, Chris Emery, Ryan, Jelle Besseling, Taneli Kaivola, Marcin Kołodziej, Andy Gocke, 0lach, Dom, Dimitri Merejkowsky, Josh Triplett, Marc-Andre Giroux, Sean Bryant, Beat Scherrer, Bob Ippolito, Mark Old, avborhanian, Antoine Boegli, Luuk, Cole Tobin, Seth, Yuriy Taraday, Pete Bevin, ofrighil, Ives van Hoorne, Marcus Griep, Elnath, David White, Michael, Paul Horn, pinkhatbeard, bbutkovic, Morgan Rosenkranz, Max Bruckner, Enrico Zschemisch, Tanner Muro, Colin VanDervoort, Nicolas Coulange, Marcus Griep, belzael, Mario Fleischhacker, Mattia Valzelli, Malik Bougacha, Tiziano Santoro, AdrianEddy, villem, Christopher Valerio, Alexandra Østermark, Vincent Mutolo, Torben Clasen, Zalán Bálint Lévai, Pete LeVasseur, Luis, Marty Penner, std__mpa, Arjen Laarhoven, Integer 32, LLC, Olivier Peyrusse, Romain Ruetschi, L0r3m1p5um, Richard Stephens, Lucille Blumire, David Barsky, Jimmy Hartzell, Marco Carmosino, Brian L. Troutwine, Dylan Anthony, notryanb, Carson Page, Sam Leonard, Ahmad Alhashemi, WeblWabl, Xavier Groleau, Zachary Myers, Chris Walker, Scott Steele, Julian Schmid, Anna M, Lyssieth, Guilherme Neubaner, Felix Weis, Nicolas Riebesel, Victor Song, Matt Heise, Ben Wishovich, Philipp Hatt, Michał Bartoszkiewicz, Henrik Tudborg, Christoph Grabo, Kevin Murphy, playest, Joshua Roesslein, Matt Jadczak, Adam Lassek, Chris Thackrey, Steven Pham, Boris Dolgov, callym, Vinay Mehta, Lawrence Bethlenfalvy, Alan O'Donnell, Matt Campbell
Earlier this week, an npm supply chain attack.
It’s turn for crates.io, the main public repository for Rust crates (packages).
The phishing e-mail looks like this:
And it leads to a GitHub login page that looks like this:
Several maintainers received it — the issue is being discussed on GitHub.
The crates.io team has acknowledged the attack and said they’d see if they can do something about it.
No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).
Important links:
(JavaScript is required to see this. Or maybe my stuff broke)