- Reported
-
- Issued
-
- Package
-
onering
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Patched
-
no patched versions
- Unaffected
-
Description
A new version of the onering crate was published with code that attempted to
exfiltrate both metadata and code from the project it was included within.
One malicious version was published on 2026-06-10, approximately six hours
before removal. This crate has no dependencies on crates.io, and there is no
evidence of actual usage of the compromised version.
Thanks to Charlie Eriksen for the report.
Advisory available under CC0-1.0
license.