GHSA-WF45-3GPW-VRQV: Malicious Rust Crate 'time_calibrators' Exfiltrates Environment Variables

Malicious Rust Crate 'time_calibrators' Exfiltrates Environment Variables

Vulnerability ID: GHSA-WF45-3GPW-VRQV
CVSS Score: Critical
Published: 2026-03-04

The 'time_calibrators' crate, published to the Rust crates.io registry, was identified as a malicious package designed to compromise developer environments. Masquerading as a legitimate time synchronization utility, the package contained code to locate and exfiltrate sensitive credentials stored in '.env' files. The stolen data was transmitted to a remote command-and-control server designed to impersonate the legitimate 'timeapi.io' service. The package was removed within three hours of publication, limiting its spread, but represents a sophisticated supply chain attack linked to the SyncFuture espionage campaign.

TL;DR

A malicious Rust crate named 'time_calibrators' was discovered on crates.io. It executes a build script to steal '.env' files and sends secrets to a fake 'timeapi.io' domain. Users who installed this crate must immediately rotate all exposed credentials.

---

⚠️ Exploit Status: WEAPONIZED

Technical Details

• Attack Vector: Network (Supply Chain)
• CWE: CWE-506 (Embedded Malicious Code)
• Impact: Critical (Credential Theft)
• CVSS: Critical (Unassigned)
• Exploit Status: Weaponized
• Campaign: SyncFuture

Affected Systems

• Rust Development Environments
• CI/CD Pipelines
• Systems with Rust toolchain installed
• time_calibrators: * (Fixed in: (Removed))

Exploit Details

• GitHub Advisory: Advisory confirming the malicious behavior and removal.

Mitigation Strategies

• Immediate Incident Response
• Credential Rotation
• Dependency Auditing
• Network Filtering

Remediation Steps:

1. Identify if the crate was cached by running ls ~/.cargo/registry/src/github.com-*/time_calibrators-*. If found, the system is compromised.
2. Remove the dependency from Cargo.toml and delete the Cargo.lock file.
3. Purge the cargo registry cache using cargo clean or by manually deleting the registry directory.
4. CRITICAL: Rotate ALL credentials, API keys, and secrets that were present in any .env file on the affected machine. Merely deleting the crate does not secure the stolen keys.
5. Review network logs for traffic to timeapi[.]co, time-api[.]io, or other variations of timeapi.
6. Implement cargo-audit in CI/CD pipelines to prevent the inclusion of known malicious crates.

References

• GitHub Advisory GHSA-wf45-3gpw-vrqv
• RUSTSEC-2026-0031 Advisory
• SyncFuture Espionage Campaign Analysis

---

Read the full report for GHSA-WF45-3GPW-VRQV on our website for more details including interactive diagrams and full exploit analysis.