- Reported
-
- Issued
-
- Package
-
logflux
- Type
-
Vulnerability
- Categories
-
- Patched
-
no patched versions
Description
The logflux crate attempted to download and run a malicious payload on the
user's machine.
The malicious crate had 1 version published on 2026-04-26, approximately 1
month before removal, and had no evidence of actual usage. This crate had no
dependencies on crates.io.
Thanks to Paweł Bis for discovering and reporting this crate!
This appears to have been part of a campaign targeting people applying for Rust
jobs. Please be careful with take-home assignments, especially if they ask you
to use specific dependencies.
Advisory available under CC0-1.0
license.