DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XP79-9MXW-878J: The Finch That Stole Your Keys: Autopsy of the Malicious `finch-rst` Crate

#security #cve #cybersecurity #ghsa

The Finch That Stole Your Keys: Autopsy of the Malicious finch-rst Crate

Vulnerability ID: GHSA-XP79-9MXW-878J
CVSS Score: 10.0
Published: 2026-02-12

The Rust ecosystem prides itself on memory safety, effectively killing entire classes of bugs like buffer overflows and use-after-frees. However, the borrow checker cannot save you from yourself—or more specifically, from the code you voluntarily invite into your house.

GHSA-XP79-9MXW-878J details a supply chain attack involving finch-rst, a malicious crate uploaded to crates.io. Masquerading as a legitimate bioinformatics tool, this package was designed not to process data, but to exfiltrate it. It leverages the inherent trust developers place in the Cargo build system to execute arbitrary code on developer machines and CI/CD pipelines immediately upon installation.

TL;DR

The finch-rst package on crates.io contains malicious code. It likely utilizes typosquatting to target users of the legitimate finch library. The moment you run cargo build, the crate executes code (likely via build.rs) to compromise your environment. The crate has been removed, but if you installed it, assume all local credentials (AWS, SSH, GPG) are compromised.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • Attack Vector: Supply Chain / Typosquatting
  • Execution Stage: Build Time (cargo build)
  • Impact: Arbitrary Code Execution / Info Disclosure
  • CVSS: 10.0 (Critical)
  • Target Ecosystem: Crates.io (Rust)
  • Component: finch-rst

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines
  • Production Build Servers
  • finch-rst: * (Fixed in: Removed from registry)

Exploit Details

Mitigation Strategies

  • Use tools like cargo-vet to enforce manual auditing of dependencies.
  • Implement cargo-deny in CI/CD pipelines to block unknown crates.
  • Restrict network access for build steps in CI environments (hermetic builds).

Remediation Steps:

  1. Identify systems where finch-rst was installed or built.
  2. Remove finch-rst from Cargo.toml and Cargo.lock.
  3. Run cargo clean and delete the ~/.cargo/registry cache for the specific crate.
  4. Rotate ALL credentials present on the affected machine (AWS keys, SSH keys, API tokens).
  5. Audit system logs for unauthorized network connections or process executions.

References

Read the full report for GHSA-XP79-9MXW-878J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)