GSD-2022-1002520
- Import Source
- https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002520.json
- Withdrawn
- 2023-03-14T07:01:09.291282Z
- Published
- 2022-05-21T20:07:07.841941Z
- Modified
- 2023-03-14T07:01:09.291282Z
- Details
-
In rustdecimal, all versions prior to 1.23.4 contain malicious code that downloads a binary masked as a "readme" file and then depending on the OS, making it executable and ran it. The rustdecimal crate appears to be a malicious clone of the real rust-decimal crate. Due to the similarity of the names it appears many people were fooled:
Fake: https://crates.io/api/v1/crates/rustdecimal/1.23.1/download ~110.7k Real: https://crates.io/api/v1/crates/rust_decimal/1.23.1/download ~113.2k
It is reported that the malicious code compromised CI environments, thus any packages or code using rustdecimal should have their CI environments rebuilt cleanly, API tokens reissued and so on.
- References
-
- https://github.com/paupino/rust-decimal/issues/514
- https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/
- https://blog.rust-lang.org/2022/05/10/malicious-crate-rustdecimal.html
- https://groups.google.com/g/rustlang-security-announcements/c/5DVtC8pgJLw