Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in lsh (crates.io)

The Rust crate 'lsh' version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
All users of lsh version 99.0.1 on crates.io
Ecosystems
Attack vectors
Affected entities
  • lsh · 99.0.1

The OpenSSF Package Analysis project identified the Rust crate 'lsh' version 99.0.1 published on crates.io as containing malicious code. The analysis determined that the package exhibits two key indicators of malicious intent: it communicates with a domain associated with known malicious activity, and it executes one or more commands consistent with malicious behavior patterns.\n\nThis finding was reported through the OpenSSF's malicious-packages repository (MAL-2026-3126), which serves as a public record of confirmed malicious packages across multiple ecosystems. The package was flagged during automated analysis by the OpenSSF Package Analysis project.\n\nAny system that has installed or used lsh version 99.0.1 should be considered potentially compromised and require investigation.

Indicators of compromise

Packages
  • lsh@99.0.1

Remediation

  • Immediately remove lsh version 99.0.1 from all systems and environments
  • Audit systems that installed or used lsh 99.0.1 for signs of compromise or unauthorized activity
  • Review network logs for connections to the malicious domain identified in the analysis
  • Use only verified, trusted versions of lsh from crates.io if the package is still needed
  • Monitor for any suspicious command execution or data exfiltration on affected systems

Sources

  1. GitHub Advisory GHSA-ffmx-5mf5-q3hc · GitHub Advisory Database

Cite this entry

"Malicious code in lsh (crates.io)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 18, 2026; last updated July 18, 2026. https://supplychainattack.org/incident/malicious-code-in-lsh-crates-io-1u8aso

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in proton_pfff (crates.io)

    The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  2. containedcritical

    Malicious code in mysten_metrics (crates.io)

    The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.

    CargoCompromised package
  3. resolvedcritical

    Malicious code in littest (crates.io)

    The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.

    CargoCompromised package
  4. containedcritical

    Malicious code in amzn_codewhisperer_streaming_client (crates.io)

    The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package