A recent report has uncovered a concerning incident involving the Rust programming language’s crate registry. This incident highlights the vulnerability of Rust’s ecosystem and the need for developers to exercise caution in their software development activities.

Description

Between August 14 and 16, 2023 [1] [3] [4] [6], a user named “amaperf” uploaded several malicious packages to the Rust programming language’s crate registry. These packages [1] [2] [3] [4] [5] [6], including postgress, if-cfg [1] [3] [4], xrvrv [1] [3] [4], serd [1] [3] [4], oncecell [1] [3] [4], lazystatic [1] [3] [4], and envlogger [1] [3] [4], were identified and removed by DevSecOps company Phylum. The attacker used typosquatting techniques to deceive developers into using these packages. Investigations revealed that the packages were designed to collect information about the operating system and transmit it to a hard-coded Telegram channel [6]. This suggests that the campaign may have been in its early stages [1] [4] [6], with the goal of compromising developer machines to distribute rogue updates [6]. This is not the first time the crate registry has been targeted in a supply chain attack [1] [3] [4] [6], as a similar campaign was uncovered in May 2022 [1] [4].

The incident also revealed several vulnerabilities in the crates.io infrastructure. The main API servers were breached [5], allowing the attacker to bypass authentication and publish any crate as any user [5]. There is an XSS vulnerability on crates.io [5], enabling the attacker to automatically accept invitations or steal login tokens from site visitors [5]. Additionally, a SQL injection vulnerability may leak GitHub authentication tokens [5]. The index repository was also hacked [5], allowing the attacker to change checksums and redirect tarballs to an attacker-controlled mirror [5].

In the event of a developer’s own machine being compromised [5], there is a risk of file leakage [5], but not arbitrary code execution [5]. A path traversal vulnerability could allow the attacker to read sensitive user-owned files [5]. However, if arbitrary code execution is possible [5], the attacker can hijack cargo publish or git push commands [5].

If a developer’s GitHub account is hacked [5], the attacker can take control of the account and potentially add themselves to GitHub teams that own crates [5]. They can also create new API tokens [5], send ownership invites to themselves [5], and remove other owners [5].

There are cases where a reputable crate that is a dependency of other crates falls under new management [5]. This can occur if the legitimate crate is given or sold to someone who turns out to be malicious [5]. Alternatively [5], a dispute between co-owners can lead to sabotage or destruction of the project [5].

A bad actor may publish intentionally malicious crates [5], hoping that someone will voluntarily install them [5]. These crates can contain obvious malware that attacks immediately [5], obfuscated backdoors or hidden malware that uses obfuscated code to hide its intentions [5], or delayed attacks where malware is added after victims start using the crate [5].

Finally [5], there is the risk of malicious dependency attacks via the build process [5].

Conclusion

The incident involving the Rust crate registry highlights the need for improved security measures and practices within the Rust ecosystem. Developers must exercise caution and due diligence in their software development activities [3], considering the increasing value of developers as targets due to their access to SSH keys, production infrastructure [1] [4] [5] [6], and valuable company IP [6]. It is crucial for the Rust community to address the vulnerabilities in the crates.io infrastructure and implement stronger authentication and authorization mechanisms. Additionally, developers should be vigilant in managing their GitHub accounts and dependencies, ensuring that reputable crates are not compromised or manipulated. By taking these precautions, the Rust community can mitigate the risks associated with supply chain attacks and protect the integrity of their software projects.

References

[1] https://vulners.com/thn/THN:6F80101F49525926BD1F078F24670474
[2] https://riskybiznews.substack.com/p/malware-found-on-rust-package-repository
[3] https://thehackernews.com/2023/08/developers-beware-malicious-rust.html
[4] https://www.redpacketsecurity.com/developers-beware-malicious-rust-libraries-caught-transmitting-os-info-to-telegram-channel/
[5] https://users.rust-lang.org/t/supply-chain-attack-scenarios/57097
[6] https://cybersec84.wordpress.com/2023/08/28/rust-developers-targeted-by-malicious-libraries-that-transmit-data-to-telegram/