5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files

MITRE Techniques

• [T1195.002 ] Supply Chain Compromise – Malicious crates were published to the registry to deliver exfiltration code (‘a coordinated supply chain campaign in the Rust ecosystem involving five malicious crates’)
• [T1204 ] User Execution – The malicious code executes when developers or CI run affected code paths, causing unintentional outbound requests (‘any code path that validates parameters, including tests, can cause silent outbound traffic and secret leakage’)
• [T1036 ] Masquerading – The actor used lookalike names and typosquatting (chron_anchor, dnp3times) to appear legitimate (‘typosquatted the legitimate dnp3time crate’ and ‘borrows the recognition of the widely-used chrono ecosystem’)
• [T1552.001 ] Unsecured Credentials: Credentials In Files – The crates target .env files to harvest credentials stored in developer workflows (‘.env files because they are simple, portable, and fit naturally into dotenv-style workflows’)
• [T1005 ] Data from Local System – The malicious workflow reads and uploads local files (ENV_FILE_PATH resolves to .env and the crate uploads that file via curl -F file=@{ENV_FILE_PATH})
• [T1583.001 ] Acquire Infrastructure: Domains – The campaign used attacker-controlled and lookalike domains to receive exfiltrated data (‘a lookalike domain, timeapis[.]io, that impersonates the legitimate… timeapi.io service’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltration uses HTTP(S) requests and curl to send data to remote endpoints (‘Silent GET with a 3s timeout via external curl’ and ‘Multipart POST upload via curl’)
• [T1041 ] Exfiltration Over C2 Channel – The crates perform covert exfiltration of secrets to an external upload endpoint (‘uploads the local secrets file path (typically “.env”)’ to http://timeapis[.]io/api/Time/current/zone?timeZone=UTC)