|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "crates.io Postmortem: User Uploaded Malware" |
| 4 | +author: Adam Harvey |
| 5 | +team: the crates.io team <https://www.rust-lang.org/governance/teams/crates-io> |
| 6 | +--- |
| 7 | + |
| 8 | +## Summary |
| 9 | + |
| 10 | +On August 16, the crates.io team was notified by Louis Lang at [Phylum][phylum] of a new user who had uploaded nine crates that typosquatted[^typosquatting] popular crates with ill intent. The crates were immediately yanked and the user account locked, and the crates were then fully removed from the crates.io file store on August 18. |
| 11 | + |
| 12 | +Phylum have also written [their own blog][phylum-blog] on this incident. |
| 13 | + |
| 14 | +## Contents |
| 15 | + |
| 16 | +These crates contained malicious `build.rs` files that would attempt to send metadata from the user's computer to a Telegram[^telegram] channel, including their operating system, IP address, and geolocation information based on their IP address.[^geolocation] |
| 17 | + |
| 18 | +One version of one crate also contained a copy of the PuTTY[^putty] installer, with the `build.rs` spawning PuTTY instead of sending metadata to Telegram. Our assumption is that this was an earlier stage of experimenting with what was possible from a `build.rs` file. |
| 19 | + |
| 20 | +## Actions taken |
| 21 | + |
| 22 | +The crates were yanked and the associated user account was locked immediately after the crates.io team received the report. This would not have prevented someone from downloading the crate files directly from static.crates.io, but removed the crates from the crate index and made them uninstallable through normal `cargo` usage. |
| 23 | + |
| 24 | +After [analysing](#analysis) the crates in question and the logs related to all actions taken by this user — from signing up, searching for crates to typosquat, and finally to publishing the crates — we decided to delete the crates entirely from static.crates.io to prevent any further possibility of attack.[^deletion] The deletion was performed at 17:22 UTC on August 18, 2023. |
| 25 | + |
| 26 | +## Analysis |
| 27 | + |
| 28 | +In this case, the crates were solely and very obviously crafted for malicious purposes. |
| 29 | + |
| 30 | +We have no evidence that any of these crates were downloaded by an actual user — analysis of the user agents associated with the download requests for these crates in our logs suggest that the only downloads were automated scanner and mirroring actions. |
| 31 | + |
| 32 | +The user associated with these crates took no other actions — malicious or otherwise — in the 30 days[^retention] prior to August 18. |
| 33 | + |
| 34 | +## Future actions |
| 35 | + |
| 36 | +The [Rust Foundation][foundation]'s [Security Initiative][init] is planning future work on scanning all crate uploads, both in terms of typosquatting and the actual contents of the crate files. The prototypes of both projects would have detected these crate files, and the crates.io team intends to work with the Foundation to implement these scanners once ready. |
| 37 | + |
| 38 | +## Thanks |
| 39 | + |
| 40 | +Our thanks to Louis Lang at [Phylum][phylum] for reporting the crates, Josh Stone for facilitating the report, and Walter Pearce at the [Rust Foundation][foundation] for assisting with the analysis. |
| 41 | + |
| 42 | +[^deletion]: The crates were preserved for future analysis should there be other attacks, and to inform scanning efforts in the future. |
| 43 | +[^geolocation]: One wonders why they couldn't do this after sending the IP address to their Telegram channel, but federated workloads are apparently all the rage in 2023. |
| 44 | +[^putty]: [PuTTY][putty] is a popular SSH client for Windows. |
| 45 | +[^retention]: One year of logs are retained on crates.io, but only 30 days are immediately available on our log platform. We chose not to go further back in our analysis, since IP address based analysis is limited by the use of dynamic IP addresses in the wild, and the relevant IP address being part of an allocation to a residential ISP. |
| 46 | +[^telegram]: [Telegram][telegram] is a popular instant messaging app. |
| 47 | +[^typosquatting]: [Typosquatting][typosquatting] is a technique used by bad actors to initiate dependency confusion attacks where a legitimate user might be tricked into using a malicious dependency instead of their intended dependency — for example, a bad actor might try to publish a crate at `proc-macro` to catch users of the legitimate `proc-macro2` crate. |
| 48 | + |
| 49 | +[foundation]: https://foundation.rust-lang.org/ |
| 50 | +[init]: https://foundation.rust-lang.org/news/2022-09-13-rust-foundation-establishes-security-team/ |
| 51 | +[phylum]: https://www.phylum.io/ |
| 52 | +[phylum-blog]: https://blog.phylum.io/rust-malware-staged-on-crates-io/ |
| 53 | +[putty]: https://www.putty.org/ |
| 54 | +[telegram]: https://telegram.org/ |
| 55 | +[typosquatting]: https://docs.npmjs.com/threats-and-mitigations#by-typosquatting--dependency-confusion |
0 commit comments