DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MH23-RW7F-V5PQ: GHSA-MH23-RW7F-V5PQ: Malicious 'time-sync' Crate Exfiltrating Environment Secrets

#security #cve #cybersecurity #ghsa

GHSA-MH23-RW7F-V5PQ: Malicious 'time-sync' Crate Exfiltrating Environment Secrets

Vulnerability ID: GHSA-MH23-RW7F-V5PQ
CVSS Score: 9.8
Published: 2026-03-05

A critical security advisory has been issued for the Rust crate time-sync, which was identified as a malicious package intended to conduct a supply chain attack. Published to crates.io, the package purported to be a time synchronization utility but contained concealed logic to locate, read, and exfiltrate sensitive .env configuration files from the host system to a remote server controlling the timeapi.io domain or a spoofed variant thereof. The crate was removed from the registry approximately 50 minutes after publication.

TL;DR

The time-sync Rust crate contains malware that steals .env files and sends them to a remote server. It was active on crates.io for 50 minutes on March 4, 2026. Any project that installed this crate must consider all environment secrets compromised and rotate them immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-506
  • Attack Vector: Network / Supply Chain
  • Severity: Critical
  • Impact: Information Disclosure (Credentials)
  • Affected Component: time-sync crate
  • Status: Removed from Registry

Affected Systems

  • Rust development environments
  • CI/CD pipelines building Rust projects
  • Systems with .env files utilizing time-sync
  • time-sync: * (Fixed in: Removed)

Mitigation Strategies

  • Immediate removal of the malicious dependency
  • Credential rotation for all exposed secrets
  • Automated dependency auditing using cargo-audit
  • Network egress filtering for CI/CD environments

Remediation Steps:

  1. Run cargo tree or check Cargo.lock to verify if time-sync is present.
  2. If present, execute cargo remove time-sync.
  3. Identify every secret key, password, and token located in .env files on the affected machine.
  4. Log into the respective service providers (AWS, Stripe, Database, etc.) and revoke the compromised credentials.
  5. Generate new credentials and update the local configuration.
  6. Install cargo-audit via cargo install cargo-audit and run cargo audit to verify no other vulnerabilities exist.

References

Read the full report for GHSA-MH23-RW7F-V5PQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)