-
Notifications
You must be signed in to change notification settings - Fork 302
Add post on the crates.io malware incident #1138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
55 changes: 55 additions & 0 deletions
55
posts/inside-rust/2023-08-30-crates-io-malware-postmortem.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| layout: post | ||
| title: "crates.io Postmortem: User Uploaded Malware" | ||
| author: Adam Harvey | ||
| team: the crates.io team <https://www.rust-lang.org/governance/teams/crates-io> | ||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| On August 16, the crates.io team was notified by Louis Lang at [Phylum][phylum] of a new user who had uploaded nine crates that typosquatted[^typosquatting] popular crates with ill intent. The crates were immediately yanked and the user account locked, and the crates were then fully removed from the crates.io file store on August 18. | ||
|
|
||
| Phylum have also written [their own blog][phylum-blog] on this incident. | ||
|
|
||
| ## Contents | ||
|
|
||
| These crates contained malicious `build.rs` files that would attempt to send metadata from the user's computer to a Telegram[^telegram] channel, including their operating system, IP address, and geolocation information based on their IP address.[^geolocation] | ||
|
|
||
| One version of one crate also contained a copy of the PuTTY[^putty] installer, with the `build.rs` spawning PuTTY instead of sending metadata to Telegram. Our assumption is that this was an earlier stage of experimenting with what was possible from a `build.rs` file. | ||
|
|
||
| ## Actions taken | ||
|
|
||
| The crates were yanked and the associated user account was locked immediately after the crates.io team received the report. This would not have prevented someone from downloading the crate files directly from static.crates.io, but removed the crates from the crate index and made them uninstallable through normal `cargo` usage. | ||
|
|
||
| After [analysing](#analysis) the crates in question and the logs related to all actions taken by this user — from signing up, searching for crates to typosquat, and finally to publishing the crates — we decided to delete the crates entirely from static.crates.io to prevent any further possibility of attack.[^deletion] The deletion was performed at 17:22 UTC on August 18, 2023. | ||
|
|
||
| ## Analysis | ||
|
|
||
| In this case, the crates were solely and very obviously crafted for malicious purposes. | ||
|
|
||
| We have no evidence that any of these crates were downloaded by an actual user — analysis of the user agents associated with the download requests for these crates in our logs suggest that the only downloads were automated scanner and mirroring actions. | ||
|
|
||
| The user associated with these crates took no other actions — malicious or otherwise — in the 30 days[^retention] prior to August 18. | ||
|
|
||
| ## Future actions | ||
|
|
||
| The [Rust Foundation][foundation]'s [Security Initiative][init] is planning future work on scanning all crate uploads, both in terms of typosquatting and the actual contents of the crate files. The prototypes of both projects would have detected these crate files, and the crates.io team intends to work with the Foundation to implement these scanners once ready. | ||
|
|
||
| ## Thanks | ||
|
|
||
| Our thanks to Louis Lang at [Phylum][phylum] for reporting the crates, Josh Stone for facilitating the report, and Walter Pearce at the [Rust Foundation][foundation] for assisting with the analysis. | ||
|
|
||
| [^deletion]: The crates were preserved for future analysis should there be other attacks, and to inform scanning efforts in the future. | ||
| [^geolocation]: One wonders why they couldn't do this after sending the IP address to their Telegram channel, but federated workloads are apparently all the rage in 2023. | ||
| [^putty]: [PuTTY][putty] is a popular SSH client for Windows. | ||
| [^retention]: One year of logs are retained on crates.io, but only 30 days are immediately available on our log platform. We chose not to go further back in our analysis, since IP address based analysis is limited by the use of dynamic IP addresses in the wild, and the relevant IP address being part of an allocation to a residential ISP. | ||
| [^telegram]: [Telegram][telegram] is a popular instant messaging app. | ||
| [^typosquatting]: [Typosquatting][typosquatting] is a technique used by bad actors to initiate dependency confusion attacks where a legitimate user might be tricked into using a malicious dependency instead of their intended dependency — for example, a bad actor might try to publish a crate at `proc-macro` to catch users of the legitimate `proc-macro2` crate. | ||
|
|
||
| [foundation]: https://foundation.rust-lang.org/ | ||
| [init]: https://foundation.rust-lang.org/news/2022-09-13-rust-foundation-establishes-security-team/ | ||
| [phylum]: https://www.phylum.io/ | ||
| [phylum-blog]: https://blog.phylum.io/rust-malware-staged-on-crates-io/ | ||
| [putty]: https://www.putty.org/ | ||
| [telegram]: https://telegram.org/ | ||
| [typosquatting]: https://docs.npmjs.com/threats-and-mitigations#by-typosquatting--dependency-confusion | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.