|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Security advisory: malicious crate rustdecimal" |
| 4 | +author: The Rust Security Response WG |
| 5 | +--- |
| 6 | + |
| 7 | +> This is a cross-post of [the official security advisory][advisory]. The |
| 8 | +> official advisory contains a signed version with our PGP key, as well. |
| 9 | +
|
| 10 | +[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/5DVtC8pgJLw |
| 11 | + |
| 12 | +The Rust Security Response WG and the crates.io team [were notified][1] on |
| 13 | +2022-05-02 of the existence of the malicious crate `rustdecimal`, which |
| 14 | +contained malware. The crate name was intentionally similar to the name of the |
| 15 | +popular [`rust_decimal`][2] crate, hoping that potential victims would misspell |
| 16 | +its name (an attack called "typosquatting"). |
| 17 | + |
| 18 | +To protect the security of the ecosystem, the crates.io team permanently |
| 19 | +removed the crate from the registry as soon as it was made aware of the |
| 20 | +malware. An analysis of all the crates on crates.io was also performed, and no |
| 21 | +other crate with similar code patterns was found. |
| 22 | + |
| 23 | +Keep in mind that the [`rust_decimal`][2] crate was **not** compromised, and it |
| 24 | +is still safe to use. |
| 25 | + |
| 26 | +## Analysis of the crate |
| 27 | + |
| 28 | +The crate had less than 500 downloads since its first release on 2022-03-25, |
| 29 | +and no crates on the crates.io registry depended on it. |
| 30 | + |
| 31 | +The crate contained identical source code and functionality as the legit |
| 32 | +`rust_decimal` crate, except for the `Decimal::new` function. |
| 33 | + |
| 34 | +When the function was called, it checked whether the `GITLAB_CI` environment |
| 35 | +variable was set, and if so it downloaded a binary payload into |
| 36 | +`/tmp/git-updater.bin` and executed it. The binary payload supported both Linux |
| 37 | +and macOS, but not Windows. |
| 38 | + |
| 39 | +An analysis of the binary payload was not possible, as the download URL didn't |
| 40 | +work anymore when the analysis was performed. |
| 41 | + |
| 42 | +## Recommendations |
| 43 | + |
| 44 | +If your project or organization is running GitLab CI, we strongly recommend |
| 45 | +checking whether your project or one of its dependencies depended on the |
| 46 | +`rustdecimal` crate, starting from 2022-03-25. If you notice a dependency on |
| 47 | +that crate, you should consider your CI environment to be compromised. |
| 48 | + |
| 49 | +In general, we recommend regularly auditing your dependencies, and only |
| 50 | +depending on crates whose author you trust. If you notice any suspicious |
| 51 | +behavior in a crate's source code please follow [the Rust security |
| 52 | +policy][3] and report it to the Rust Security Response WG. |
| 53 | + |
| 54 | +## Acknowledgements |
| 55 | + |
| 56 | +We want to thank GitHub user [`@safinaskar`][4] for identifying the |
| 57 | +malicious crate in [this GitHub issue][1]. |
| 58 | + |
| 59 | +[1]: https://github.com/paupino/rust-decimal/issues/514#issuecomment-1115408888 |
| 60 | +[2]: https://crates.io/crates/rust_decimal |
| 61 | +[3]: https://www.rust-lang.org/policies/security |
| 62 | +[4]: https://github.com/safinaskar |
0 commit comments