GHSA-VGR2-R5HM-F6GF: SHA-RST: The Silent Assassin in Your Cargo.toml

SHA-RST: The Silent Assassin in Your Cargo.toml

Vulnerability ID: GHSA-VGR2-R5HM-F6GF
CVSS Score: 10.0
Published: 2026-02-12

A deep dive into the 'sha-rst' malicious crate, a textbook example of modern supply chain warfare targeting the Rust ecosystem. This package masqueraded as a utility library but served as a nested payload carrier for a typo-squatting campaign, exfiltrating developer credentials immediately upon installation.

TL;DR

Malicious Rust crate 'sha-rst' (and its parent 'finch_cli_rust') caught stealing SSH keys and AWS credentials. It used dependency nesting to hide the payload. If you installed it, rotate everything.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• Attack Vector: Supply Chain / Typosquatting
• Impact: Credential Exfiltration
• CWE ID: CWE-506
• Severity: Critical
• Exploit Status: Active / Weaponized
• Platform: Rust / crates.io
• Payload: Info Stealer

Affected Systems

• Rust Development Environments
• CI/CD Pipelines running 'cargo build'
• Systems with 'finch_cli_rust' installed
• sha-rst: >= 0.1.0 (Fixed in: Removed)
• finch_cli_rust: >= 0.0.0 (Fixed in: Removed)

Exploit Details

• RustSec: Advisory confirming malware payload

Mitigation Strategies

• Dependency Pinning
• Vulnerability Scanning
• Typosquatting Awareness
• Credential Isolation

Remediation Steps:

1. Identify if 'sha-rst', 'finch_cli_rust', or 'finch-rst' exists in your Cargo.lock.
2. Delete the affected crates from Cargo.toml immediately.
3. Run 'cargo audit' to ensure no other known malicious crates are present.
4. Rotate ALL credentials found on the infected machine (SSH keys, AWS tokens, API keys).
5. Consider the development machine fully compromised; re-image if possible.

References

• GitHub Advisory GHSA-vgr2-r5hm-f6gf
• RustSec Advisory 2025-0151

---

Read the full report for GHSA-VGR2-R5HM-F6GF on our website for more details including interactive diagrams and full exploit analysis.