Skip to content
supplychainattack.orgSupply chain attack incident catalog

Cargo supply chain incidents

9 confirmed incidents affecting the cargo ecosystem.

  1. containedcritical

    Malicious code in replit_ruspty (crates.io)

    The Rust crate replit_ruspty version 1.0.0 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  2. containedcritical

    Malicious code in supertag (crates.io)

    The Rust crate 'supertag' version 99.1.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  3. containedcritical

    Malicious code in semantic_search_client (crates.io)

    The Rust crate semantic-search-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  4. containedcritical

    Malicious code in lsh (crates.io)

    The Rust crate 'lsh' version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  5. containedcritical

    Malicious code in amzn_consolas_client (crates.io)

    The Rust crate amzn-consolas-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  6. containedcritical

    Malicious code in amzn_codewhisperer_streaming_client (crates.io)

    The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  7. resolvedcritical

    Malicious code in littest (crates.io)

    The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.

    CargoCompromised package
  8. containedcritical

    Malicious code in mysten_metrics (crates.io)

    The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.

    CargoCompromised package
  9. containedcritical

    Malicious code in proton_pfff (crates.io)

    The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package