Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in proton_pfff (crates.io)

The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
All users of proton-pfff version 99.99.5 from crates.io
Ecosystems
Attack vectors
Affected entities
  • proton-pfff · 99.99.5

The OpenSSF Package Analysis project identified the Rust crate 'proton-pfff' version 99.99.5 published on crates.io as containing malicious code. Analysis revealed that the package communicates with a domain associated with malicious activity and executes one or more commands associated with malicious behavior.\n\nThe malicious package was detected through automated analysis and reported via the OpenSSF's malicious-packages repository. The incident was disclosed on July 18, 2026.\n\nAny system that installed or executed proton-pfff version 99.99.5 may have been compromised. The package should be immediately removed and systems should be audited for signs of compromise.

Indicators of compromise

Packages
  • proton-pfff@99.99.5

Remediation

  • Immediately remove proton-pfff version 99.99.5 from all systems and dependencies
  • Audit systems that installed or executed the malicious package for signs of compromise
  • Review network logs for connections to the malicious domain(s) identified by OpenSSF analysis
  • Update to a safe version of proton-pfff if one exists, or replace with an alternative package
  • Check Cargo.lock files and dependency trees to identify all affected projects

Sources

  1. GitHub Advisory GHSA-2c45-qvwj-8jfx · GitHub Advisory Database

Cite this entry

"Malicious code in proton_pfff (crates.io)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 18, 2026; last updated July 18, 2026. https://supplychainattack.org/incident/malicious-code-in-proton-pfff-crates-io-1uniox

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in mysten_metrics (crates.io)

    The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.

    CargoCompromised package
  2. resolvedcritical

    Malicious code in littest (crates.io)

    The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.

    CargoCompromised package
  3. containedcritical

    Malicious code in amzn_codewhisperer_streaming_client (crates.io)

    The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  4. containedcritical

    Malicious code in amzn_consolas_client (crates.io)

    The Rust crate amzn-consolas-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package