RUSTSEC-2025-0152

finch_cli_rust was removed from crates.io for malicious code

Reported

December 9, 2025

Issued

February 12, 2026 (last modified: March 17, 2026)

Package

finch_cli_rust

Type

Vulnerability

Categories

malicious

Aliases

GHSA-6v2j-vr4h-f632

Patched

no patched versions

Description

This attempts to typosquat the existing crate finch_cli to steal credentials from local files.

The malicious crate had 1 version published on 2025-12-08 and had been downloaded 18 times. There were no crates depending on this crate on crates.io.

Thanks to Matthias Zepper of NGI Sweden for reporting this to the crates.io team!

Advisory available under CC0-1.0 license.