- Reported
-
- Issued
-
- Package
-
time_calibrator
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- Patched
-
no patched versions
Description
It was reported time_calibrator contained malicious code, that would try to
upload .env files to a server.
The malicious crate had only 1 version published at 2026-02-28 and no evidence
of actual usage. The crate was removed from crates.io and the user account was
locked. There were no crates depending on this crate on crates.io.
Thanks to Gabriel Silva for finding and reporting this to the Rust security response
working group, and thanks to Emily Albini for co-ordinating with the crates.io and
infra-admin teams.
Advisory available under CC0-1.0
license.