Thanks to my sponsors: Guillaume E, Chris, Justin Smith, Malik Bougacha, Angelo, ofrighil, Benjamin Röjder Delnavaz, Ronen Cohen, Olivia Crain, Tomas Sedovic, Romain Ruetschi, Gorazd Brumen, Yufan Lou, Brooke Tilley, Luuk, Valentin Mariette, René Ribaud, dataphract, Xirvik Servers, 0lach and 262 more Guillaume E, Chris, Justin Smith, Malik Bougacha, Angelo, ofrighil, Benjamin Röjder Delnavaz, Ronen Cohen, Olivia Crain, Tomas Sedovic, Romain Ruetschi, Gorazd Brumen, Yufan Lou, Brooke Tilley, Luuk, Valentin Mariette, René Ribaud, dataphract, Xirvik Servers, 0lach, Mikkel Rasmussen, Paul Marques Mota, Torben Clasen, Antoine Boegli, Christian Bourjau, Alex Rudy, bbutkovic, clement, WeblWabl, Geoff Cant, Zalán Bálint Lévai, Marco Carmosino, Julien Roncaglia, Nicholas, Tiziano Santoro, David Barsky, Julian Schmid, Zachary Myers, Timothée Gerber, Alexandra Østermark, Brian L. Troutwine, Michał Zalewski, Egor Ternovoi, Horváth-Lázár Péter, Jörn Huxhorn, Max Bruckner, Yves, Urs Metz, David Smith, Matt Campbell, milan, Jelle Besseling, Zac Harrold, Raine Godmaire, me, Zeeger Lubsen, Pete Bevin, Anna M, Richard Pringle, anichno, Kamran Khan, Sawyer Knoblich, Integer 32, LLC, Max von Forell, Neil Blakey-Milner, Ryan, Guy Waldman, Michal Hošna, Matt Heise, Joshua Roesslein, Matt Jackson, Marcus Griep, Tom Forbes, Matthew T, Adam Gutglick, Christopher Valerio, Jack Duvall, Daniel Silverstone, Max Heaton, Radu Matei, Ross Williams, Josh Triplett, Marc-Andre Giroux, Ives van Hoorne, Lena Schönburg, Isak Sunde Singh, Samit Basu, David White, David Cornu, genny, Jake Demarest-Mays, Mathew Haji, Mark Old, Tyler Bloom, Tobias Bahls, Simon Menke, Vincent Mutolo, Reto Trappitsch, Felix Weis, Chris Walker, notryanb, Geoffroy Couprie, qrpth, Christoph Grabo, Twan Walpot, budrick, Miguel Raz Guzmán Macedo, Borys Minaiev, Jim, Michael Alyn Miller, Mattia Valzelli, Peter Shih, Dirkjan Ochtman, Pete LeVasseur, Olivier Peyrusse, Mark, Chris Emery, Xavier Groleau, messense, Lawrence Bethlenfalvy, jalciné, Kai Kaufman, Philipp Angerer, Yuriy Taraday, Tabitha, eliferrous, Austin Traver, Alex Krantz, Beat Scherrer, Ronen Ulanovsky, Luke Yue, Morgan Rosenkranz, Guilherme Neubaner, Bob Ippolito, Daniel Strittmatter, Sean Bryant, Andy Gocke, belzael, Sam Leonard, Ahmad Alhashemi, prairiewolf, Nicolas Riebesel, Enrico Zschemisch, Kyle Lacy, Seth, Braidon Whatley, DaVince, C J Silverio, Vladimir, Wyatt Herkamp, jatescher, you got maiL, avborhanian, callym, Mario Fleischhacker, Boris Dolgov, John VanEnk, Luke Konopka, Menno Finlay-Smits, Chris Thackrey, Kevin Murphy, Marie Janssen, Steven Pham, ShikChen, Andrew Henshaw, Chris Sims, Scott Steele, Diego Roig, Marcin Kołodziej, playest, Jesse Luehrs, Justin Ossevoort, Philipp Hatt, Em Sharnoff, Lucille Blumire, Matt Jadczak, Dominik Wagner, Marcus Griep, Henrik Tudborg, Sylvie Nightshade, Elnath, Jimmy Hartzell, L0r3m1p5um, James Leitch, Justy, Brandon Piña, Scott Sanderson, Carson Page, Ripta Pasay, Stephan Buys, Senyo Simpson, Dom, Olly Swanson, James Rhodes, AdrianEddy, Dimitri Merejkowsky, Alan O'Donnell, Taneli Kaivola, Manuel Hutter, Corey Alexander, traxys, Dragoon, Tanner Muro, Dave Minter, Vinay Mehta, Victor Song, Dylan Anthony, Mathias Brossard, Eugene Bulkin, Jan-Stefan Janetzky, old.woman.josiah, Hadrien G., Santiago Lema, Mark Tomlin, Gioele Pannetto, Paige Ruten, Andy F, Elendol, Aleksandre Khokhiashvili, Paul Horn, Luis, pinkhatbeard, Toon Willems, Johnathan Pagnutti, Romain Kelifa, compwhizii, Ian McLinden, Björn Marschollek, Nyefan, Colin VanDervoort, James Brown, Zachary Thomas, Ben Wishovich, Arjen Laarhoven, Lyssieth, Richard Stephens, ZacJW, Antoine Rouaze, zed, Cole Kurkowski, Geoffrey Thomas, Chris Biscardi, Marty Penner, Aiden Scandella, Niels Abildgaard, Hamilton Chapman, Astrid, std__mpa, Noel, villem, Antoine PESTEL-ROPARS, Zaki, Zoran Zaric, Blake Johnson, Daniel Wagner-Hall, Yann Schwartz, xales, Michał Bartoszkiewicz, SeniorMars, The0x539, Laine Taffin Altman, Michael, Sung Jeon, Ben Mitchell, Makoto Nakashima, Jonathan Adams, psentee, Berkus Decker, Raphaël Thériault, Matěj Volf, hgranthorner, Thehbadger, Jean-David Gadina, Mateusz Wykurz, Matthias Zepper, Mike English, Cole Tobin, Adam Lassek, Mason Ginter, Romet Tagobert, Walther, Nicolas Coulange
Earlier this week, an npm supply chain attack.
It’s turn for crates.io, the main public repository for Rust crates (packages).
The phishing e-mail looks like this:
And it leads to a GitHub login page that looks like this:
Several maintainers received it — the issue is being discussed on GitHub.
The crates.io team has acknowledged the attack and said they’d see if they can do something about it.
No compromised packages have been identified as of yet (Sep 12, 14:10 UTC).
Important links:
(JavaScript is required to see this. Or maybe my stuff broke)