GHSA-wf45-3gpw-vrqv

Source

https://github.com/advisories/GHSA-wf45-3gpw-vrqv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wf45-3gpw-vrqv/GHSA-wf45-3gpw-vrqv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wf45-3gpw-vrqv

Aliases

RUSTSEC-2026-0031

Published

2026-03-04T21:07:39Z

Modified

2026-03-05T06:11:18.618559Z

Summary

`time_calibrators` was removed from crates.io due to malicious code

Details

The time_calibrators crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service.

The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Rust security response working group thanks cybergeek for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io team.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-04T21:07:39Z",
    "github_reviewed": true,
    "cwe_ids": [],
    "severity": "CRITICAL"
}

References

Affected packages

crates.io / time_calibrators

Package

Name: time_calibrators; View open source insights on deps.dev
Purl: pkg:cargo/time_calibrators

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wf45-3gpw-vrqv/GHSA-wf45-3gpw-vrqv.json"