crates.io: Malicious crates finch-rust and sha-rust
Source: Rust Blog
Summary
On December 5th, the crates.io team was notified by Kush Pandya from the Socket Threat Research Team of two malicious crates that were attempting to cause confusion with the existing finch crate by adding a dependency on a malicious crate that performed data exfiltration.
Crates involved
finch-rust– 1 version published November 25 2025, downloaded 28 times, depended onsha-rustsha-rust– 8 versions published between November 20 and November 25 2025, downloaded 153 times
Actions taken
The user face-lessssss was immediately disabled, and the crates were deleted from crates.io shortly after. The malicious crate files have been retained for further analysis.
- Deletions performed at 15:52 UTC on December 5th.
- Associated repositories were reported to GitHub, and the account has been removed there as well.
Analysis
Socket has published their analysis in a blog post.
These crates had no downstream dependents on crates.io, and there is no evidence of them being downloaded outside of automated mirroring and scanning services.
Thanks
Our thanks to Kush Pandya from the Socket Threat Research Team for reporting the crates. We also thank Carol Nichols from the crates.io team and Adam Harvey from the Rust Foundation for aiding in the response.