- Reported
-
- Issued
-
- Package
-
dnp3times
(crates.io)
- Type
-
Vulnerability
- Aliases
-
- Patched
-
no patched versions
Description
The dnp3times crate attempted to exfiltrate .env files to a server
that was in turn impersonating the legitimate timeapi.io service. It was
loosely trying to typosquat the dnp3time crate, but otherwise was the same
attack as the time_calibrator and time_calibrators malware yesterday.
The malicious crate had 1 version published on 2026-03-04 approximately 6 hours
before removal and had no evidence of actual downloads. There were no crates
depending on this crate on crates.io.
Advisory available under CC0-1.0
license.