DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6V2J-VR4H-F632: Rust in Peace: The 'finch_cli_rust' Supply Chain Ambush

#security #cve #cybersecurity #ghsa

Rust in Peace: The 'finch_cli_rust' Supply Chain Ambush

Vulnerability ID: GHSA-6V2J-VR4H-F632
CVSS Score: 9.8
Published: 2026-02-12

In the modern development ecosystem, typing the wrong package name is akin to handing your house keys to a burglar. The 'finch_cli_rust' package, recently purged from crates.io, was a classic supply chain attack targeting users of the AWS 'Finch' container tool. By leveraging the inherent trust developers place in package registries and the powerful (and dangerous) build.rs mechanism in Rust, this malicious crate executed arbitrary code immediately upon installation—silently harvesting credentials and compromising development environments.

TL;DR

A malicious Rust crate named 'finch_cli_rust' (and aliases) was uploaded to crates.io, impersonating tools for AWS Finch. It utilized the build.rs build script feature to achieve Remote Code Execution (RCE) instantly when a developer ran cargo build or cargo install. The package has been removed, but affected users must assume full compromise of their local environment and rotate all exposed credentials.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Supply Chain (Typosquatting)
  • Execution Point: cargo build / build.rs
  • Impact: Remote Code Execution (RCE) / Data Exfiltration
  • Severity: Critical
  • Target Ecosystem: Rust (crates.io)
  • Exploit Status: Active / Weaponized

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines running cargo build
  • Workstations with AWS Credentials exposed
  • finch_cli_rust: All versions (Fixed in: N/A (Removed))

Exploit Details

Mitigation Strategies

  • Dependency Pinning: Always use Cargo.lock to ensure consistent builds.
  • Typosquatting Awareness: Double-check package names against official documentation before installing.
  • Registry Mirroring: Use private registries (like Artifactory) that proxy and scan public crates.
  • Least Privilege: Avoid running builds with global administrator or root privileges.

Remediation Steps:

  1. Remove finch_cli_rust from Cargo.toml immediately.
  2. Delete Cargo.lock and regenerate it.
  3. Run cargo clean to remove build artifacts.
  4. Rotate all AWS keys, SSH keys, and API tokens present in the environment.
  5. Inspect shell configuration files (.bashrc, .zshrc) for added persistence mechanisms.

References

Read the full report for GHSA-6V2J-VR4H-F632 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)