Socket’s Threat Research Team discovered typosquatting crates targeting Rust developers: finch-rust acts as a malware loader that depends on an evolving credential-stealer sha-rust which exfiltrates configuration and credential files to a C2. The campaign used impersonation of a real developer, fabricated GitHub metadata, and an unpinned dependency to automatically deliver updated malware to victims. #finch-rust #sha-rust
Keypoints
- Two malicious crates were published to crates.io: finch-rust (typosquat loader) and sha-rust (credential stealer) that together target Rust developers.
- finch-rust imitates the legitimate finch bioinformatics crate (67,223 downloads) and includes a single malicious line that triggers sha-rust when library functionality is used.
- sha-rust evolved through eight versions in two weeks, shifting from scanning the HOME directory to only the current directory and adding a wildcard (*. ) pattern in v0.1.7 to broaden theft.
- The credential stealer uses base64-encoded strings, obfuscated function names, a UDP socket trick to determine local IP without sending traffic, and exfiltrates via HTTPS POST to rust-docs-build[.]vercel[.]app/api/v1.
- The threat actor “faceless” impersonated a legitimate developer (radioman) via fabricated repo links, forged commit authorship, and plausible email fields to gain trust and evade detection.
- Attack success relied on an unpinned dependency (sha-rust = “0.1”) in finch-rust so downstream users automatically received the latest malicious 0.1.x variant (v0.1.7).
- Recommended mitigations include verifying package metadata, pinning versions in Cargo.toml, auditing transitive dependencies (cargo tree), scanning for obfuscation/network calls, and rotating credentials if compromised.
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – The attacker delivered malware via a malicious transitive crate dependency and unpinned versions so victims receive the latest payload ( ‘sha-rust = “0.1” # Unpinned version specification’).
- [T1204.005 ] User Execution: Malicious Library – The malicious code activates when developers use finch-rust functionality ( ‘the malware doesn’t execute on installation but activates when developers actually use the library’s functionality’).
- [T1036 ] Masquerading – The threat actor impersonated a legitimate developer and repository metadata to appear trustworthy ( ‘fabricated GitHub repository URLs and impersonation of legitimate developer radioman’).
- [T1027 ] Obfuscated Files or Information – The stealer used base64-encoded strings and obfuscated function names to evade detection ( ‘// Base64-encoded strings’ and ‘decode_str!(“aHR0cHM6Ly9ydXN0LWRvY3MtYnVpbGQudmVyY2VsLmFwcC9hcGkvdjE=”)’).
- [T1552.001 ] Unsecured Credentials: Credentials in Files – The malware searches for and exfiltrates credential/configuration files such as .env and id.json ( ‘The malware targets files containing credentials: .env … id.json’).
- [T1083 ] File and Directory Discovery – The stealer reads target files from the filesystem to collect credentials ( ‘let _g3 = fs::read(_e1)?; // Read target file’).
- [T1041 ] Exfiltration Over C2 Channel – Exfiltration is performed via HTTPS POST to a C2 endpoint ( ‘POST to C2 server’ and ‘https://rust-docs-build[.]vercel[.]app/api/v1’).
Indicators of Compromise
- [Package ] Malicious crates on crates.io – finch-rust (malware loader), sha-rust (credential stealer)
- [Domain ] C2 endpoint used for exfiltration – rust-docs-build[.]vercel[.]app/api/v1
- [Email Addresses ] Impersonation metadata in package manifests – vincent@radioman[.]com, radioman@users[.]noreply[.]github[.]com
- [GitHub Accounts/Repos ] Fabricated or malicious repository claims – github.com/radioman/finch-rust (nonexistent), owner account face-lessssss (malicious forks)
- [Files ] Targeted credential/config files – .env, id.json, config.toml (and v0.1.7 matches any file with an extension ‘*.’)
Read more: https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials