- Reported
-
- Issued
-
- Package
-
time-sync
(crates.io)
- Type
-
Vulnerability
- Patched
-
no patched versions
Description
The time-sync crate attempted to exfiltrate .env files to a server that was
in turn impersonating the legitimate timeapi.io service. This the same attack
that we've seen three times in the last few days.
The malicious crate had 1 version published on 2026-03-04 approximately 50
minutes before removal and had no evidence of actual downloads. There were no
crates depending on this crate on crates.io.
Advisory available under CC0-1.0
license.