In rustdecimal, all versions prior to 1.23.4 contain malicious code that downloads a binary masked as a "readme" file and then depending on the OS, making it executable and ran it. The rustdecimal crate appears to be a malicious clone of the real rust-decimal crate. Due to the similarity of the names it appears many people were fooled:
Fake: https://crates.io/api/v1/crates/rustdecimal/1.23.1/download ~110.7k Real: https://crates.io/api/v1/crates/rust_decimal/1.23.1/download ~113.2k
It is reported that the malicious code compromised CI environments, thus any packages or code using rustdecimal should have their CI environments rebuilt cleanly, API tokens reissued and so on.