GHSA-99J7-FHR2-XFJ4: Malicious Remote Code Execution Payload in 'exploration' Cargo Crate
Vulnerability ID: GHSA-99J7-FHR2-XFJ4
CVSS Score: 10.0
Published: 2026-07-10
The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.
TL;DR
The malicious Rust crate 'exploration' was discovered performing arbitrary command execution and dynamic payload downloads during cargo compilation. It has been removed from the crates.io registry.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-506
- Attack Vector: Supply Chain Compromise / Registry Abuse
- CVSS Score: 10.0
- Exploit Status: Active Malicious Upload (Removed)
- KEV Status: Not Listed
- Primary Impact: Remote Code Execution (RCE)
- Ecosystem: Cargo (Rust)
Affected Systems
- Rust development workstations running Cargo compilation
- CI/CD build pipelines and containerized build runners
- Self-hosted proxy registries caching public crates.io assets
-
exploration: >= 0.0.0-0 (Fixed in:
None (Package Deleted))
Mitigation Strategies
- Audit Cargo.toml and Cargo.lock across all internal projects for the 'exploration' dependency.
- Clear the local Cargo registry and build cache to purge any residual files associated with the malicious crate.
- Implement outbound network restrictions on CI/CD build environments to block unauthorized dynamic payloads.
Remediation Steps:
- Inspect all system dependency trees for references to the 'exploration' crate.
- Immediately terminate active processes on any host where 'exploration' was compiled or run.
- Execute 'cargo clean' and delete local registry cache directories: '~/.cargo/registry/src/' and '~/.cargo/registry/cache/'.
- Revoke and rotate all environment variables, SSH keys, registry credentials, and API tokens present on infected systems.
- Audit endpoint logs and network telemetry for outbound connections targeting unauthorized endpoints during the compilation window.
References
- GitHub Security Advisory: GHSA-99J7-FHR2-XFJ4
- RustSec Advisory Database Page
- Raw RustSec GitHub Advisory Entry
- Affected Package Registry Stub
- Socket Threat Research Team Homepage
Read the full report for GHSA-99J7-FHR2-XFJ4 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)