Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in semantic_search_client (crates.io)

The Rust crate semantic-search-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
All users of semantic-search-client version 99.0.1 from crates.io
Ecosystems
Attack vectors
Affected entities
  • semantic-search-client · 99.0.1

The OpenSSF Package Analysis project identified semantic-search-client version 99.0.1 published on crates.io as a malicious package. Analysis revealed two key indicators of compromise: the package establishes communication with a domain associated with known malicious activity, and it executes one or more commands consistent with malicious behavior patterns.\n\nThis finding was documented in the OpenSSF's malicious-packages repository under identifier MAL-2026-3102. The package was flagged through automated analysis of the crate's behavior and network communications.\n\nAny system that has installed or executed semantic-search-client version 99.0.1 may be affected. The package should be considered untrusted and removed from affected systems.

Indicators of compromise

Packages
  • semantic-search-client@99.0.1

Remediation

  • Immediately remove semantic-search-client version 99.0.1 from all systems and projects
  • Audit project dependencies to identify any use of semantic-search-client 99.0.1
  • Review system logs and network traffic from systems that may have executed this package for signs of compromise
  • If the package was used in a build pipeline, audit build artifacts and deployments for potential compromise
  • Update to a known-safe version of semantic-search-client if one exists, or replace with an alternative package
  • Consider running security scans on systems that may have been affected

Sources

  1. GitHub Advisory GHSA-jfw2-4jxj-8f9c · GitHub Advisory Database

Cite this entry

"Malicious code in semantic_search_client (crates.io)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 18, 2026; last updated July 18, 2026. https://supplychainattack.org/incident/malicious-code-in-semantic-search-client-crates-io-tq1j0u

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in proton_pfff (crates.io)

    The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package
  2. containedcritical

    Malicious code in mysten_metrics (crates.io)

    The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.

    CargoCompromised package
  3. resolvedcritical

    Malicious code in littest (crates.io)

    The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.

    CargoCompromised package
  4. containedcritical

    Malicious code in amzn_codewhisperer_streaming_client (crates.io)

    The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.

    CargoCompromised package