Developers publishing crates (binaries and libraries written in Rust) on crates.io, Rust’s main public package registry, have been targeted with emails echoing the recent npm phishing campaign.
The phishing email
The emails started hitting developers’ inboxes on Friday, minutes after they published a (new) crate on the registry.
The emails – titled “Important: Breach notification regarding crates.io” and made to look like they’ve been sent by the Rust Foundation – claimed that an attacker compromised the crates.io infrastructure and accessed some user information.
FYI, I got an obvious phishing attempt in my inbox from `[email protected]` that was masquerading as a security breach notification. It made it past gmail’s spam filters.
The link goes to the `github.rustfoundation.dev` domain.
[image or embed]— Andrew Gallant (@burntsushi.net) 12 September 2025 at 15:26
“We are currently drafting a blog post to outline the timeline and the steps we took to mitigate this. In the meantime, we strongly suggest you to rotate your login info by signing in here to our internal SSO, which is a temporary fix to ensure that the attacker cannot modify any packages published by you,” the email concluded.
The included link pointed to github.rustfoundation.dev, a domain purposefully similar to Rust Foundation’s official one (rustfoundation.org). The phishing domain hosted a fake GitHub login page:
(Most Rust projects and crates are hosted on GitHub, and developers publishing on crates.io log in with their GitHub credentials.)
The aftermath
Some of the targets reported the emails to the Rust Security Response Working Group and the crates.io team, and they quickly issued a warning.
“These emails are malicious and come from a domain name not controlled by the Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing your GitHub credentials. We have no evidence of a compromise of the crates.io infrastructure,” they noted.
“We are taking steps to get the domain name taken down and to monitor for suspicious activity on crates.io. Do not follow any links in these emails if you receive them, and mark them as phishing with your email provider.”
It’s difficult to say at the moment if any of the email recipients had been duped and entered their credentials into the phishing page.
As developer Andrew Gallant (aka BurntSushi) noted, this was a “decent [phishing] attempt” that made it past Gmail’s spam filter, and some of the things that made it obvious to him that this was a phishing attempt might not be so obvious to those who are less “dialed into the Rust organization and how things actually work.”
The phishing page is currently inaccessible, but a snapshot captured on Friday shows that the phishing page was relatively quickly replaced with an “advertisement”, in which the attacker claimed to have the “crates.io db along with juicy tokens” and that they plan to sell it.
Tobias Bieniek, crates.io team co-lead, stated that they have sent an email to the GitHub security team and that they are are monitoring API token creations for suspicious activity.
Compromising code registries
Last week, a developer who maintains several popular npm packages had his npmjs.com login credentials and two-factor authentication phished after being tricked by a fake security alert email that appeared to come from the npm Registry. Other developers have been targeted with the same email, and several fell for the trick, as well.
It’s unknown whether the two campaigns were mounted by the same attacker(s), but the one who launched this latest phishing campaign professedly won’t stop here.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
