"Although the crates pose as local time utilities, their core behavior is credential and secret theft. They attempt to collect sensitive data from developer environments, most notably .env files, and exfiltrate it to threat actor-controlled infrastructure."
"Chrono_anchor incorporates the exfiltration logic within a file named guard.rs that's invoked from an optional sync helper function so as to avoid raising developer suspicions. Unlike other malware, the code observed in this case does not aim to set up persistence on the host through a service or scheduled task."
"The targeting of .env files is no accident, as it's typically used to hold API keys, tokens, and other secrets, allowing an attacker to compromise downstream users and gain deeper access to their environments, including cloud services, databases, and GitHub and registry tokens."
Five malicious Rust packages published to crates.io between late February and early March 2026 impersonate time-related utilities while stealing sensitive data. These crates, attributed to a single threat actor, target .env files containing API keys, tokens, and other secrets from developer environments. Four packages use straightforward exfiltration methods, while chrono_anchor employs obfuscation techniques to avoid detection by hiding malicious code within a guard.rs file invoked through an optional sync function. Rather than establishing persistence, the malware exfiltrates secrets each time a CI workflow executes the code. Compromised .env files enable attackers to access downstream systems, cloud services, databases, and authentication tokens.
#supply-chain-attack #malicious-packages #credential-theft #rust-ecosystem-security #cicd-pipeline-threats
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]