DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G38R-8GMR-GHRF: GHSA-G38R-8GMR-GHRF: Malicious Code Execution via build.rs in Rust Crate mysten-metrics

#security #cve #cybersecurity #ghsa

GHSA-G38R-8GMR-GHRF: Malicious Code Execution via build.rs in Rust Crate mysten-metrics

Vulnerability ID: GHSA-G38R-8GMR-GHRF
CVSS Score: 10.0
Published: 2026-05-04

The mysten-metrics Rust crate was published as a malicious package to the crates.io registry. It utilizes a malicious build.rs script to execute arbitrary code during the compilation phase, enabling the silent exfiltration of sensitive developer environment variables, SSH keys, and cloud credentials to an external server.

TL;DR

A malicious Rust crate named mysten-metrics executes data exfiltration scripts via build.rs upon compilation. Developers who compiled this crate must assume their local environment is compromised and immediately rotate all local and cloud credentials.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-506
  • Attack Vector: Supply Chain / Malicious Dependency
  • Execution Trigger: cargo build / compilation phase
  • Exploit Status: Active
  • Target Operating Systems: All OS (Cross-platform execution)
  • Impact: High (Data Exfiltration / Credential Theft)

Affected Systems

  • Rust Developer Workstations
  • Continuous Integration / Continuous Deployment (CI/CD) pipelines running Cargo
  • mysten-metrics: All versions (including 0.1.0) (Fixed in: None (Removed))

Exploit Details

  • crates.io: Active deployment of malicious package on the public registry.

Mitigation Strategies

  • Remove all references to mysten-metrics from Cargo.toml and Cargo.lock
  • Purge the local Cargo cache using cargo clean and manual deletion of ~/.cargo/registry
  • Implement cargo-audit in CI/CD pipelines to detect known malicious or vulnerable crates automatically
  • Sandbox CI/CD runners by denying external network access during the build phase

Remediation Steps:

  1. Identify all machines (developer workstations and CI/CD servers) that attempted to build the mysten-metrics crate.
  2. Treat the identified host environments as compromised.
  3. Identify all secrets present on the machine at the time of compilation, including ~/.ssh, ~/.aws/credentials, ~/.cargo/credentials, and environment variables.
  4. Rotate all identified secrets immediately across all connected services.
  5. Review network logs for unauthorized outbound HTTP connections to unknown IP addresses or domains during the time of compilation.

References

Read the full report for GHSA-G38R-8GMR-GHRF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)