Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious Rust crates on crates.io exfiltrating .env secrets

Malware Activity
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The five malicious Rust crates on crates.io were published between late February and early March 2026 and operated as a supply-chain infostealer. They masqueraded as time-related utilities while collecting .env secrets from developer workspaces and CI jobs. Stolen data was sent to threat actor-controlled infrastructure through the lookalike domain timeapis[.]io. The activity matters because API keys, tokens, and other secrets in build environments can enable deeper compromise.

Related Happenings

Developer environments using KICS data exposed after Checkmarx breach

Data Leak
H score40 First: 23.04.2026 19:05 Last: 23.04.2026 19:05 Sources 1

About this happening: The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...

Checkmarx/kics Docker Hub repository hit by network compromise

Incident
H score36 First: 22.04.2026 20:55 Last: 22.04.2026 20:55 Sources 1

About this happening: **Checkmarx's checkmarx/kics Docker Hub repository** suffered a **supply-chain compromise** that could expose **secrets** from infrastructure-as-code scans. **Unknown threat actor...

Anthropic Claude Code source code leak from NPM release

Data Leak
H score18 First: 01.04.2026 03:32 Last: 01.04.2026 03:32 Sources 1

About this happening: Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...

Latest development: 02.04.2026 23:30

Threat actors are using fake GitHub repositories to exploit the Claude Code source code leak and lure users searching for leaked Claude Code into downloading a 7-Zip archive that launches ClaudeCode_x64.exe and drops Vidar and GhostSocks; Zscaler says the bogus repository is SEO-optimized for Google Search queries like “leaked Claude Code.”

Trivy environment credentials leak

Data Leak
H score37 First: 21.03.2026 19:30 Last: 21.03.2026 19:30 Sources 1

About this happening: The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...

Aqua Security hit by data theft breach

Incident
H score37 First: 20.03.2026 19:47 Last: 20.03.2026 19:47 Sources 1

About this happening: The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...

Latest development: 23.03.2026 10:31

TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.

Timeline

  1. 11.03.2026 07:12 2 articles · 4mo ago

    Researchers disclose five malicious Rust crates stealing .env secrets

    Initial Disclosure

    Researchers disclosed five malicious Rust crates on crates.io—chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync—that impersonated timeapi.io, used the lookalike domain timeapis[.]io to exfiltrate .env secrets from developer environments and CI jobs, and hid additional exfiltration logic in chrono_anchor through guard.rs without establishing service or scheduled-task persistence.

    Show sources