Phishing campaign targets Rust developers

On September 12, the Rust Foundation disclosed a phishing campaign targeting Rust developers who publish packages to crates.io, the official Rust package registry.

This campaign closely parallels the npm phishing incident reported on September 8, where a trusted maintainer’s identity was compromised to distribute malicious code.

In this case, threat actors impersonated the Rust Foundation using the domain rustfoundation[.]dev. Emails were sent within minutes of new crate publications, falsely claiming a breach of crates.io infrastructure.

Recipients were directed to a spoofed GitHub login page, hosted at github.rustfoundation[.]dev, designed to harvest credentials. The phishing infrastructure was taken offline shortly after public disclosure.

By September 14, the threat actor replaced the fake login page with a message claiming the crates.io database and authentication tokens were for sale. A contact email was provided, along with a deadline for purchasing, suggesting an effort to monetize stolen credentials.

On September 15, the domain was updated again. It included a claim that the data had already been sold, and that the campaign was unsophisticated, stating it was set up quickly and required minimal effort beyond cryptocurrency transaction confirmations.

While it remains unclear whether any developers entered credentials into the phishing site, reports indicate the campaign bypassed Gmail’s spam filters and reached several prominent maintainers.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

The attacker’s messaging suggests a credential harvesting operation followed by an attempt to sell access to crates.io publishing capabilities. No evidence currently supports a breach of crates.io or GitHub infrastructure.

Organizations using Rust crates in production environments are encouraged to review crate updates and token activity between September 12–15, particularly for dependencies added or modified during that window. Developers authenticating to crates.io via GitHub may be exposed if credentials were submitted to the spoofed site.

Recommendations include enforcing hardware-backed two-factor authentication for developer accounts with publishing access, and delivering targeted security awareness training focused on phishing tactics that impersonate trusted ecosystem actors.