Attempted malware attack against Crates.io thwarted

SecurityWeek reports that Rust package registry Crates.io has been targeted by an attempted malware attack involving typosquatted packages that has been averted with the immediate identification and removal of the malicious packages. Some of the packages had code that enabled the delivery of compromised host information to a Telegram channel as part of a callback mechanism, which could have also been exploited to facilitate the release of more malicious packages, according to a Phylum report. Researchers also noted that such a malware attack could have resulted in data or secret exfiltration. "It's hard to say with any degree of certainty whether or not this campaign would have evolved into something more nefarious. What we can say is that we've seen this play out many times before in many other ecosystems, and the outcome was always the same. Developers were compromised, credentials/secrets were stolen, data was exfiltrated, and in some cases, money was lost as a result," said Phylum.