Reported

December 5, 2025

Issued

February 6, 2026

Package

finch-rust (crates.io)

Type

Vulnerability

References

• https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/
• https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials

Patched

no patched versions

Description

It depended on the sha-rust crate, which appeared to be attempting to steal credentials from local files.

Advisory available under CC0-1.0 license.