Researchers uncovered five malicious Rust crates on crates.io that masqueraded as time-related utilities and exfiltrated .env file data to threat actor-controlled infrastructure. The campaign (notably chrono_anchor) impersonated timeapi.io via timeapis[.]io, and a related AI-powered attack using hackerbot-claw exploited GitHub Actions to compromise Aqua Security’s Trivy extension (CVE-2026-28353), leading to removals and recommendations to rotate keys and audit CI workflows. #chrono_anchor #dnp3times #time_calibrator #time_calibrators #time_sync #timeapis_io #hackerbot_claw #trivy #AquaSecurity #CVE-2026-28353
Keypoints
- Five malicious Rust crates on crates.io posed as time utilities to steal .env files and exfiltrate secrets.
- The packages impersonated timeapi.io and used the lookalike domain timeapis[.]io to stash stolen data, indicating a single threat actor.
- chrono_anchor used obfuscation and an invoked guard.rs routine to avoid detection and repeatedly exfiltrate secrets during CI runs.
- Targeting .env files enabled theft of API keys, tokens, and credentials that could compromise downstream services and repositories.
- An AI-powered bot, hackerbot-claw, also exploited GitHub Actions to hijack Trivy’s VS Code extension and push malicious artifacts, tracked as CVE-2026-28353.
Read More: https://thehackernews.com/2026/03/five-malicious-rust-crates-and-ai-bot.html