Rust Developers Targeted in New Phishing Campaign
â–Ľ Summary
– Developers publishing Rust crates on crates.io received phishing emails mimicking a security breach notification from the Rust Foundation.
– The emails directed recipients to a fake GitHub login page on a domain similar to the official Rust Foundation site to steal credentials.
– The crates.io team confirmed the emails were malicious and warned users not to interact with them, stating there was no actual infrastructure compromise.
– The phishing attempt was sophisticated enough to bypass some email filters and targeted developers shortly after they published new crates.
– This incident follows a similar recent phishing campaign targeting npm users, though it is unclear if the same attackers are responsible.
A new phishing campaign is actively targeting developers who publish crates, binary packages and libraries written in Rust, on the official crates.io registry. These malicious emails mimic a recent attack against npm users, attempting to steal GitHub credentials by posing as official security breach notifications from the Rust Foundation.
The fraudulent messages began arriving in developers’ inboxes on Friday, often just minutes after a new crate was published. Titled “Important: Breach notification regarding crates.io,” the emails were carefully crafted to appear legitimate. They falsely claimed that an attacker had compromised crates.io infrastructure and accessed sensitive user data. The message urged recipients to rotate their login credentials by clicking a link to a fake single sign-on portal.
That link directed users to `github.rustfoundation.dev`, a domain intentionally designed to resemble the legitimate Rust Foundation site. The page hosted a convincing imitation of GitHub’s login interface. Since many Rust developers use GitHub credentials to publish on crates.io, this tactic posed a significant threat.
Several targets quickly recognized the scam and reported it to the Rust Security Response Working Group and the crates.io team. Officials promptly issued a public warning, clarifying that the emails were malicious and that no breach of crates.io had occurred. They emphasized that the domain was not controlled by the Rust Foundation or the Rust Project and advised users to mark the messages as phishing.
It remains unclear whether any developers fell victim to the scheme. As developer Andrew Gallant noted, the attempt was sophisticated enough to bypass Gmail’s spam filters. Some telltale signs, like subtle domain discrepancies, might not be obvious to those less familiar with Rust’s organizational structure.
Although the phishing page is now offline, an archived snapshot revealed that it was later replaced with a taunting message. The attacker boasted about possessing “crates.io db along with juicy tokens” and announced plans to sell the data. In response, crates.io team co-lead Tobias Bieniek confirmed that the GitHub security team had been notified and that suspicious API token activity was being monitored.
This incident echoes a similar campaign last week targeting npm maintainers, where fake security alerts tricked developers into surrendering login and two-factor authentication details. While it’s uncertain if the same threat actor is behind both attacks, the latest campaign suggests a growing trend of targeting open-source registries.
To stay informed about emerging threats like this, consider subscribing to real-time security alerts.
(Source: HelpNet Security)
