Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in mysten_metrics (crates.io)

The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
All users of mysten-metrics version 9.0.3 from crates.io
Ecosystems
Attack vectors
Affected entities
  • mysten-metrics · 9.0.3

The OpenSSF Package Analysis project identified mysten-metrics version 9.0.3 published on crates.io as containing malicious code. The package was flagged for executing one or more commands associated with malicious behavior, indicating active compromise of the package contents rather than a vulnerability in legitimate code.

This incident was disclosed via GitHub Advisory GHSA-4vwj-fpjf-wmmg and tracked in the OpenSSF malicious-packages repository. The malicious behavior was detected through automated analysis of package behavior during installation or execution.

Users of mysten-metrics 9.0.3 should immediately remove or update the dependency. The package should not be used in any production or development environment.

Indicators of compromise

Packages
  • mysten-metrics@9.0.3

Remediation

  • Remove mysten-metrics 9.0.3 from all projects immediately
  • Audit any systems where mysten-metrics 9.0.3 was installed for signs of compromise
  • Update to a known-safe version of mysten-metrics if available, or identify an alternative package
  • Review crates.io for any other suspicious versions of mysten-metrics
  • Check for any malicious commands that may have been executed during package installation

Sources

  1. GitHub Advisory GHSA-4vwj-fpjf-wmmg · GitHub Advisory Database

Cite this entry

"Malicious code in mysten_metrics (crates.io)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 18, 2026; last updated July 18, 2026. https://supplychainattack.org/incident/malicious-code-in-mysten-metrics-crates-io-1fkvrt

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in proton_pfff (crates.io)

    The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  2. resolvedcritical

    Malicious code in littest (crates.io)

    The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.

    CargoCompromised package
  3. containedcritical

    Malicious code in amzn_codewhisperer_streaming_client (crates.io)

    The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  4. containedcritical

    Malicious code in amzn_consolas_client (crates.io)

    The Rust crate amzn-consolas-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package