Rust-y Chains: The sha-rust Supply Chain Ambush
Vulnerability ID: GHSA-3MMG-7C2Q-8938
CVSS Score: 10.0
Published: 2026-02-06
A sophisticated supply chain attack targeting the Rust ecosystem through the malicious sha-rust crate. By leveraging a multi-stage loading mechanism involving a typosquatted loader (finch-rust), attackers successfully bypassed initial scrutiny to exfiltrate sensitive developer credentials via compile-time execution scripts.
TL;DR
Attackers published finch-rust (mimicking finch) which pulled in sha-rust. The payload in sha-rust utilized build.rs to steal AWS keys and SSH credentials during compilation. If you installed it, your secrets are already gone.
⚠️ Exploit Status: ACTIVE
Technical Details
- Attack Vector: Supply Chain / Typosquatting
- CWE: CWE-506: Embedded Malicious Code
- Execution Stage: Compile Time (build.rs)
- Target: Developer Credentials (AWS, SSH, Kube)
- CVSS (Est): 10.0 (Critical)
- Status: Removed from Crates.io
Affected Systems
- Rust Development Environments
- CI/CD Pipelines (GitHub Actions, GitLab CI)
- Production Build Servers
-
sha-rust: All versions (Fixed in:
N/A (Malicious)) -
finch-rust: All versions (Fixed in:
N/A (Malicious))
Exploit Details
- Socket Research: Analysis of the exfiltration logic found in the crate.
Mitigation Strategies
- Credential Rotation
- Dependency Auditing
- Network Monitoring
- Environment Isolation
Remediation Steps:
- Identify presence of
sha-rustorfinch-rustin Cargo.lock. - Delete the affected project directory and clean cargo cache.
- Rotate ALL credentials (AWS, SSH, GPG, API Keys) exposed on the infected host.
- Review CI/CD logs for unauthorized external connections.
- Implement
cargo-auditin the build pipeline to block known malicious crates.
References
Read the full report for GHSA-3MMG-7C2Q-8938 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)