Ethical Hacking News
Recent research has uncovered five malicious Rust crates that exploit CI/CD pipelines to steal developer secrets. These crates masquerade as time-related utilities but actually transmit .env file data to threat actors. The affected packages were published between late February and early March 2026, and a recent incident involving Aqua Security highlights the potential risks of using low-complexity supply chain malware.
Rust crates have been discovered that exploit CI/CD pipelines to steal developer secrets. The affected crates were published between late February and early March 2026, with one threat actor believed responsible. The malicious crates masquerade as time-related utilities but transmit .env file data to threat actors. Four packages can easily exfiltrate .env files, while "chrono_anchor" uses more sophisticated techniques for obfuscation and evasion. A recent incident highlights how these malicious crates can be used in real-world attacks, compromising sensitive data through CI/CD pipeline exploits. Developers should prioritize controls to stop malicious dependencies, such as rotating keys and tokens, auditing CI/CD jobs, and limiting outbound network access.
The cybersecurity landscape continues to evolve, with new threats emerging on a daily basis. A recent discovery by security researchers has shed light on five malicious Rust crates that have been found to exploit CI/CD pipelines to steal developer secrets. The Rust packages, published to crates.io, masquerade as time-related utilities but actually transmit .env file data to threat actors.
The affected Rust crates include chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync. These packages were published between late February and early March 2026, indicating that the attack may have started before this timeframe. It is believed that a single threat actor was responsible for creating these malicious crates.
Kirill Boychenko, a security researcher, stated that "Although the crates pose as local time utilities, their core behavior is credential and secret theft." These crates attempt to collect sensitive data from developer environments, most notably .env files, and exfiltrate it to threat actor-controlled infrastructure.
Four of the affected packages are able to fairly straightforwardly exfiltrate .env files, while "chrono_anchor" incorporates more sophisticated techniques for obfuscation and evasion.
A recent incident involving Aqua Security highlights how these malicious crates can be used in real-world attacks. The company's Trivy security scanner discovered that a hackerbot-claw exploited a pull_request_target workflow to steal a Personal Access Token (PAT). The stolen credential was then used to take over the repository, showing how sensitive data can be compromised through CI/CD pipeline exploits.
In addition to Aqua Security, other major open-source repositories were targeted by the GitHub account hackerbot-claw scanning public repositories for exploitable GitHub Actions workflows to harvest developer secrets. This attack campaign highlights the potential risks of using low-complexity supply chain malware that can still deliver high-impact when it runs inside developer workspaces and CI jobs.
It is essential for developers to prioritize controls that stop malicious dependencies before they execute, such as rotating keys and tokens, auditing CI/CD jobs that run with publish or deploy credentials, and limiting outbound network access where possible.
The recent discovery of these malicious Rust crates serves as a reminder of the importance of cybersecurity in developer workspaces. By being aware of potential threats and taking proactive steps to secure our environments, we can reduce the risk of data breaches and maintain the integrity of our applications.
Related Information:
https://www.ethicalhackingnews.com/articles/Five-Malicious-Rust-Crates-Exploit-CICD-Pipelines-to-Steal-Developer-Secrets-ehn.shtml
Published: Wed Mar 11 01:46:19 2026 by llama3.2 3B Q4_K_M
