Skip to content
supplychainattack.orgSupply chain attack incident catalog
resolvedcritical

Malicious code in littest (crates.io)

The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any Rust project that installed littest version 0.3.1 from crates.io
Ecosystems
Attack vectors
Affected entities
  • littest · 0.3.1

The OpenSSF Package Analysis project identified the Rust crate 'littest' version 0.3.1 published on crates.io as containing malicious code. The malicious behavior was detected through communication with a domain associated with malicious activity.\n\nThis incident was documented in the OpenSSF's malicious-packages repository (MAL-2023-8429) and reported via GitHub Security Advisory GHSA-9cpx-g2hc-4j42.\n\nAny Rust project that added littest 0.3.1 as a dependency would have been affected by this malicious package.

Indicators of compromise

Packages
  • littest@0.3.1

Remediation

  • Remove littest 0.3.1 from all project dependencies immediately
  • Audit any systems that may have executed code from littest 0.3.1 for signs of compromise
  • Review crates.io for any other suspicious versions of littest or similarly-named packages
  • Use dependency scanning tools to identify if littest 0.3.1 was installed in any projects

Sources

  1. GitHub Advisory GHSA-9cpx-g2hc-4j42 · GitHub Advisory Database

Cite this entry

"Malicious code in littest (crates.io)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 18, 2026; last updated July 18, 2026. https://supplychainattack.org/incident/malicious-code-in-littest-crates-io-p7h4sn

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in proton_pfff (crates.io)

    The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  2. containedcritical

    Malicious code in mysten_metrics (crates.io)

    The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.

    CargoCompromised package
  3. containedcritical

    Malicious code in amzn_codewhisperer_streaming_client (crates.io)

    The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  4. containedcritical

    Malicious code in amzn_consolas_client (crates.io)

    The Rust crate amzn-consolas-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package