- Reported
-
- Issued
-
- Package
-
chrono_anchor
(crates.io)
- Type
-
Vulnerability
- Patched
-
no patched versions
Description
The chrono_anchor crate attempted to exfiltrate .env files to a server that
was in turn impersonating the legitimate timeapi.io service.
The malicious crate had 1 version published on 2026-03-04 approximately 6 days
before removal and had no evidence of actual downloads. There were no crates
depending on this crate on crates.io.
Thanks to Socket for reporting this crate. They have published
a blog post about this recent campaign, and we advise users of
timeapi.io to exercise caution when using crates to interact with that
service.
Advisory available under CC0-1.0
license.