DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XHW7-JHMP-J62J: GHSA-XHW7-JHMP-J62J: Malicious 'dnp3times' Crate Exfiltrates Secrets via Typosquatting

#security #cve #cybersecurity #ghsa

GHSA-XHW7-JHMP-J62J: Malicious 'dnp3times' Crate Exfiltrates Secrets via Typosquatting

Vulnerability ID: GHSA-XHW7-JHMP-J62J
CVSS Score: Critical
Published: 2026-03-05

The Rust package 'dnp3times' was identified as a malicious component within the crates.io ecosystem, designed to execute a supply chain attack against developers. Published on March 4, 2026, the package utilized typosquatting to deceive users into installing it. Upon execution, the crate attempted to locate sensitive .env configuration files and exfiltrate their contents to a remote server controlled by the attacker. The exfiltration traffic was obfuscated to resemble legitimate requests to timeapi.io.

TL;DR

Malicious Rust crate 'dnp3times' found on crates.io. It scans for and steals .env files, sending secrets to an attacker-controlled server masquerading as timeapi.io. Developers who installed this package must rotate all exposed credentials immediately.

Technical Details

  • CWE: CWE-506 (Embedded Malicious Code)
  • Attack Vector: Network (Supply Chain)
  • Impact: Confidentiality Loss (Critical)
  • Platform: Rust / crates.io
  • Malware Type: Info Stealer / Dropper
  • Status: Package Removed

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines running Rust builds
  • Systems with 'dnp3times' installed
  • dnp3times: * (Fixed in: Removed)

Mitigation Strategies

  • Immediate revocation and rotation of compromised secrets
  • Dependency auditing via cargo audit
  • Network filtering of known malicious C2 domains
  • Usage of lockfiles to prevent silent dependency drift

Remediation Steps:

  1. Run cargo tree or inspect Cargo.lock to verify if dnp3times was ever present in the dependency tree.
  2. If the package was found, identify every .env file accessible from the project root.
  3. Revoke every credential, API key, and secret found in those .env files.
  4. Remove dnp3times from Cargo.toml and run cargo update.
  5. Reimage the affected developer workstation or CI runner to ensure no persistence was established.

References

Read the full report for GHSA-XHW7-JHMP-J62J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)