Matthew Mastracci recently published a writeup of an apparent targeted supply-chain attack against Rust maintainers. This was posted to r/rust.
I was one of the maintainers who received similar outreach. In my case, I assume the target was my maintainer access to zerocopy. According to Matthew, the payload he received was a remote access trojan (RAT):
The drop is a full remote-access trojan that seems to have been put together by someone who knows what they are doing. It sets up an RSA key locally and uses AES-256-CBC as a session key.
On startup it calls a checkin routine that harvests and exfiltrates a host fingerprint:
- primary IP address (enumerates all non-internal interfaces), plus all IPs
- username (
os.userInfo().username)- hostname
- OS type + release + platform + architecture
- process PID and full
process.argv- Node version
It generates an RSA-2048 keypair and a random AES-256 session key (aes_psk), then all subsequent traffic is AES-256-CBC encrypted with an HMAC-SHA256 integrity tag.
It supports the following commands:
env—JSON.stringify(process.env)dumped and sent back.upload— reads an arbitrary file path and exfiltrates it.download— writes attacker-supplied bytes to any writable path.spawn— runs an arbitrary process with optional shell expansion.ls/cd/pwd/cp/mv— general filesystem primitives.dns— makes the host resolve arbitrary names through a specified resolver (for DNS tunneling?).dismantle— self-removal.
Here are the emails I received:
The approach was professionally plausible: someone claiming to represent a VC firm reached out about (presumably paid) technical diligence/consulting. While in my case the conversation petered out before moving beyond email, other targets were eventually directed toward a software project which, as Matthew's post describes, contained malicious code.
I don't know who was behind this, and I don't have independent evidence for attribution. But it appears to have been a coordinated attempt to compromise the maintainers of widely-used Rust crates. A similar attack – presumably carried out by the same actors – is described by Piyush Shukla roughly four months before Matthew's post. Piyush was himself the target; he works in the cryptocurrency space, so this may go beyond just Rust.
This post is just to add my data point to the public record: maintainers of high-impact open-source Rust projects are being targeted through ordinary-looking professional outreach.