Malicious code in supertag (crates.io)
The Rust crate 'supertag' version 99.1.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.
- Disclosed
- Last updated
- Blast radius
- All users of supertag version 99.1.1 from crates.io
- Ecosystems
- Attack vectors
- Affected entities
- supertag · 99.1.1
The OpenSSF Package Analysis project identified supertag version 99.1.1 published on crates.io as containing malicious code. The analysis determined the package exhibits two key indicators of compromise: communication with domains associated with malicious activity and execution of commands consistent with malicious behavior.
The malicious package was detected and reported through the OpenSSF's malicious-packages repository, which tracks confirmed malicious software in open-source ecosystems. The detection was attributed to hash 8af13a06fb931a42d83e13b19fd998ff62e59ef3d56302bfe9d257e07e2bad46.
Users who have installed supertag version 99.1.1 should immediately remove or update the package. The package should be considered compromised and any systems that executed it should be treated as potentially compromised.
Indicators of compromise
- Packages
- supertag@99.1.1
Remediation
- Immediately remove supertag version 99.1.1 from all projects and systems
- Update to a known-safe version of supertag if available, or remove the dependency entirely
- Audit systems that executed the malicious package for signs of compromise
- Review any credentials or sensitive data that may have been exposed on affected systems
- Monitor for suspicious network activity or command execution on affected hosts
Sources
- GitHub Advisory GHSA-ppxc-v5qv-9fm6 · GitHub Advisory Database
Cite this entry
"Malicious code in supertag (crates.io)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 18, 2026; last updated July 18, 2026. https://supplychainattack.org/incident/malicious-code-in-supertag-crates-io-1sojt9
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malicious code in proton_pfff (crates.io)
The Rust crate proton-pfff version 99.99.5 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.
CargoCompromised package - containedcritical
Malicious code in mysten_metrics (crates.io)
The Rust crate mysten-metrics version 9.0.3 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package executes commands associated with malicious behavior.
CargoCompromised package - resolvedcritical
Malicious code in littest (crates.io)
The Rust crate 'littest' version 0.3.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain associated with malicious activity.
CargoCompromised package - containedcritical
Malicious code in amzn_codewhisperer_streaming_client (crates.io)
The Rust crate amzn-codewhisperer-streaming-client version 99.0.1 on crates.io was identified as malicious by the OpenSSF Package Analysis project. The package communicates with domains associated with malicious activity and executes commands consistent with malicious behavior.
CargoCompromised package