GSD-2022-1002520

Source
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002520.json
Published
2022-05-21T20:07:07.841941Z
Modified
2022-05-21T20:07:07.841941Z
Details

In rustdecimal, all versions prior to 1.23.4 contain malicious code that downloads a binary masked as a "readme" file and then depending on the OS, making it executable and ran it. The rustdecimal crate appears to be a malicious clone of the real rust-decimal crate. Due to the similarity of the names it appears many people were fooled:

Fake: https://crates.io/api/v1/crates/rustdecimal/1.23.1/download ~110.7k Real: https://crates.io/api/v1/crates/rust_decimal/1.23.1/download ~113.2k

It is reported that the malicious code compromised CI environments, thus any packages or code using rustdecimal should have their CI environments rebuilt cleanly, API tokens reissued and so on.

References

Affected packages

GSD / rustdecimal

rustdecimal

Affected ranges

Affected versions

Other

all