Malicious Rust crates on crates.io exfiltrating .env secrets
Malware Activity
Summary
Hide ▲
Show ▼
The five malicious Rust crates on crates.io were published between late February and early March 2026 and operated as a supply-chain infostealer. They masqueraded as time-related utilities while collecting .env secrets from developer workspaces and CI jobs. Stolen data was sent to threat actor-controlled infrastructure through the lookalike domain timeapis[.]io. The activity matters because API keys, tokens, and other secrets in build environments can enable deeper compromise.
Related Happenings
Developer environments using KICS data exposed after Checkmarx breach
Data Leak
H score40
First: 23.04.2026 19:05
Last: 23.04.2026 19:05
Sources 1
About this happening:
The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...
Developer environments using KICS data exposed after Checkmarx breach
Data LeakAbout this happening: The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...
Checkmarx/kics Docker Hub repository hit by network compromise
Incident
H score36
First: 22.04.2026 20:55
Last: 22.04.2026 20:55
Sources 1
About this happening:
**Checkmarx's checkmarx/kics Docker Hub repository** suffered a **supply-chain compromise** that could expose **secrets** from infrastructure-as-code scans. **Unknown threat actor...
Checkmarx/kics Docker Hub repository hit by network compromise
IncidentAbout this happening: **Checkmarx's checkmarx/kics Docker Hub repository** suffered a **supply-chain compromise** that could expose **secrets** from infrastructure-as-code scans. **Unknown threat actor...
Anthropic Claude Code source code leak from NPM release
Data Leak
H score18
First: 01.04.2026 03:32
Last: 01.04.2026 03:32
Sources 1
About this happening:
Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...
Anthropic Claude Code source code leak from NPM release
Data LeakAbout this happening: Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...
Latest development: 02.04.2026 23:30
Threat actors are using fake GitHub repositories to exploit the Claude Code source code leak and lure users searching for leaked Claude Code into downloading a 7-Zip archive that launches ClaudeCode_x64.exe and drops Vidar and GhostSocks; Zscaler says the bogus repository is SEO-optimized for Google Search queries like “leaked Claude Code.”
Trivy environment credentials leak
Data Leak
H score37
First: 21.03.2026 19:30
Last: 21.03.2026 19:30
Sources 1
About this happening:
The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...
Trivy environment credentials leak
Data LeakAbout this happening: The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...
Aqua Security hit by data theft breach
Incident
H score37
First: 20.03.2026 19:47
Last: 20.03.2026 19:47
Sources 1
About this happening:
The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...
Aqua Security hit by data theft breach
IncidentAbout this happening: The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...
Latest development: 23.03.2026 10:31
TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.
Timeline
-
11.03.2026 07:12 2 articles · 4mo ago
Researchers disclose five malicious Rust crates stealing .env secrets
Initial DisclosureResearchers disclosed five malicious Rust crates on crates.io—chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync—that impersonated timeapi.io, used the lookalike domain timeapis[.]io to exfiltrate .env secrets from developer environments and CI jobs, and hid additional exfiltration logic in chrono_anchor through guard.rs without establishing service or scheduled-task persistence.
Show sources
- Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets — thehackernews.com — 11.03.2026 07:12
- Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets — thehackernews.com — 11.03.2026 07:12