|
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "RUSTSEC-0000-0000" |
| 4 | +package = "rustdecimal" |
| 5 | +date = "2022-05-10" |
| 6 | +url = "https://groups.google.com/g/rustlang-security-announcements/c/5DVtC8pgJLw?pli=1" |
| 7 | +categories = ["code-execution"] |
| 8 | +keywords = ["typosquatting"] |
| 9 | +[versions] |
| 10 | +patched = [] |
| 11 | +``` |
| 12 | + |
| 13 | +# malicious crate `rustdecimal` |
| 14 | + |
| 15 | +The Rust Security Response WG and the crates.io team [were notified][1] on |
| 16 | +2022-05-02 of the existence of the malicious crate `rustdecimal`, which |
| 17 | +contained malware. The crate name was intentionally similar to the name of the |
| 18 | +popular [`rust_decimal`][2] crate, hoping that potential victims would misspell |
| 19 | +its name (an attack called "typosquatting"). |
| 20 | + |
| 21 | +To protect the security of the ecosystem, the crates.io team permanently |
| 22 | +removed the crate from the registry as soon as it was made aware of the |
| 23 | +malware. An analysis of all the crates on crates.io was also performed, and no |
| 24 | +other crate with similar code patterns was found. |
| 25 | + |
| 26 | +Keep in mind that the [`rust_decimal`][2] crate was **not** compromised, and it |
| 27 | +is still safe to use. |
| 28 | + |
| 29 | +## Analysis of the crate |
| 30 | + |
| 31 | +The crate had less than 500 downloads since its first release on 2022-03-25, |
| 32 | +and no crates on the crates.io registry depended on it. |
| 33 | + |
| 34 | +The crate contained identical source code and functionality as the legit |
| 35 | +`rust_decimal` crate, except for the `Decimal::new` function. |
| 36 | + |
| 37 | +When the function was called, it checked whether the `GITLAB_CI` environment |
| 38 | +variable was set, and if so it downloaded a binary payload into |
| 39 | +`/tmp/git-updater.bin` and executed it. The binary payload supported both Linux |
| 40 | +and macOS, but not for Windows. |
| 41 | + |
| 42 | +An analysis of the binary payload was not possible, as the download URL didn't |
| 43 | +work anymore when the analysis was performed. |
| 44 | + |
| 45 | +## Recommendations |
| 46 | + |
| 47 | +If your project or organization is running GitLab CI, we strongly recommend |
| 48 | +checking whether your project or one of its dependencies depended on the |
| 49 | +`rustdecimal` crate, starting from 2022-03-25. If you notice a dependency on |
| 50 | +that crate, you should consider your CI environment to be compromised. |
| 51 | + |
| 52 | +In general, we recommend regularly auditing your dependencies, and only |
| 53 | +depending on crates whose author you trust. If you notice any suspicious |
| 54 | +behavior in a crate's source code please follow [the Rust security |
| 55 | +policy][3] and report it to the Rust Security Response WG. |
| 56 | + |
| 57 | +## Acknowledgements |
| 58 | + |
| 59 | +We want to thank GitHub user [`@safinaskar`][4] for identifying the |
| 60 | +malicious crate in [this GitHub issue][1]. |
| 61 | + |
| 62 | +[1]: https://github.com/paupino/rust-decimal/issues/514#issuecomment-1115408888 |
| 63 | +[2]: https://crates.io/crates/rust_decimal |
| 64 | +[3]: https://www.rust-lang.org/policies/security |
| 65 | +[4]: https://github.com/safinaskar |
0 commit comments