Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious Rust crates on crates.io exfiltrating .env secrets

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The five malicious Rust crates on crates.io were published between late February and early March 2026 and operated as a supply-chain infostealer. They masqueraded as time-related utilities while collecting .env secrets from developer workspaces and CI jobs. Stolen data was sent to threat actor-controlled infrastructure through the lookalike domain timeapis[.]io. The activity matters because API keys, tokens, and other secrets in build environments can enable deeper compromise.

Related Happenings

Developer environments using KICS data exposed after Checkmarx breach

Data Leak
First: 23.04.2026 19:05 Last: 23.04.2026 19:05 Sources 1

About this happening: The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...

Open Happening

Checkmarx/kics Docker Hub repository hit by network compromise

Incident
First: 22.04.2026 20:55 Last: 22.04.2026 20:55 Sources 1

About this happening: **Checkmarx's checkmarx/kics Docker Hub repository** suffered a **supply-chain compromise** that could expose **secrets** from infrastructure-as-code scans. **Unknown threat actor...

Open Happening

Anthropic Claude Code source code leak from NPM release

Data Leak
First: 01.04.2026 03:32 Last: 01.04.2026 03:32 Sources 1

About this happening: Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...

Latest development: 02.04.2026 23:30

Threat actors are using fake GitHub repositories to exploit the Claude Code source code leak and lure users searching for leaked Claude Code into downloading a 7-Zip archive that launches ClaudeCode_x64.exe and drops Vidar and GhostSocks; Zscaler says the bogus repository is SEO-optimized for Google Search queries like “leaked Claude Code.”

Open Happening

Trivy environment credentials leak

Data Leak
First: 21.03.2026 19:30 Last: 21.03.2026 19:30 Sources 1

About this happening: The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...

Open Happening

Aqua Security hit by data theft breach

Incident
First: 20.03.2026 19:47 Last: 20.03.2026 19:47 Sources 1

About this happening: The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...

Latest development: 23.03.2026 10:31

TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.

Open Happening

Timeline

  1. 11.03.2026 07:12 2 articles · 2mo ago

    Researchers disclose five malicious Rust crates stealing .env secrets

    Initial Disclosure

    Researchers disclosed five malicious Rust crates on crates.io—chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync—that impersonated timeapi.io, used the lookalike domain timeapis[.]io to exfiltrate .env secrets from developer environments and CI jobs, and hid additional exfiltration logic in chrono_anchor through guard.rs without establishing service or scheduled-task persistence.

    Show sources
    Open in new tab