History ⋅ Edit ⋅ JSON (OSV) RUSTSEC-2025-0146 sha-rust was removed from crates.io for malicious code Reported December 5, 2025 Issued February 6, 2026 (last modified: February 23, 2026) Package sha-rust (crates.io) Type Vulnerability Aliases GHSA-3mmg-7c2q-8938 References https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/ https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials Patched no patched versions Description It appeared to be attempting to steal credentials from local files. Advisory available under CC0-1.0 license.