History ⋅ Edit ⋅ JSON (OSV) RUSTSEC-2025-0146 sha-rust was removed from crates.io for malicious code Reported December 5, 2025 Issued February 6, 2026 Package sha-rust (crates.io) Type Vulnerability References https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/ https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials Patched no patched versions Description It appeared to be attempting to steal credentials from local files. Advisory available under CC0-1.0 license.