{"id":222,"date":"2026-03-11T06:56:14","date_gmt":"2026-03-11T06:56:14","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=222"},"modified":"2026-03-11T06:56:14","modified_gmt":"2026-03-11T06:56:14","slug":"five-malicious-rust-crates-and-ai-bot-exploit-ci-cd-pipelines-to-steal-developer-secrets","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=222","title":{"rendered":"Five Malicious Rust Crates and AI Bot Exploit CI\/CD Pipelines to Steal Developer Secrets"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgzAdo0qx6xgUYxpWZkp4v30357zGX7ojSkN1vbfazb6D_JiXd9ksAHFNZJzY6pleKYV_HeYZcgJ48U36zUMPSJFR9bPUvFz18THXzTTnvhembJW9wrCypxj_2ttelgwbBwOD__5Yr-WGIBw1XthSLi6UZy3QtLZfmt7j_P8fOxZmm0PQwPAMCtNKkQzz1n\/s1700-e365\/rust.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors.<\/p>\n<p>The Rust packages, published to crates.io, are listed below &#8211;<\/p>\n<ul>\n<li>chrono_anchor<\/li>\n<li>dnp3times<\/li>\n<li>time_calibrator<\/li>\n<li>time_calibrators<\/li>\n<li>time-sync<\/li>\n<\/ul>\n<p>The crates, per Socket, impersonate timeapi.io and were published between late February and early March 2026. It&#8217;s assessed to be the work of a single threat actor based on the use of the same exfiltration methodology and the lookalike domain (\u00abtimeapis[.]io\u00bb) to stash the stolen data.<\/p>\n<p>\u00abAlthough the crates pose as local time utilities, their core behavior is credential and secret theft,\u00bb security researcher Kirill Boychenko <a href=\"https:\/\/socket.dev\/blog\/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThey attempt to collect sensitive data from developer environments, most notably .env files, and exfiltrate it to threat actor-controlled infrastructure.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>While four of the aforementioned packages exhibit fairly straightforward capabilities to exfiltrate .env files, \u00abchrono_anchor\u00bb goes a step further by implementing obfuscation and operational changes so as to avoid detection. The crates were advertised as a way to calibrate local time without relying on the Network Time Protocol (NTP).<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>\u00abChrono_anchor\u00bb incorporates the exfiltration logic within a file named \u00abguard.rs\u00bb that&#8217;s invoked from an \u00aboptional sync\u00bb helper function so as to avoid raising developer suspicions. Unlike other malware, the code observed in this case does not aim to set up persistence on the host through a service or scheduled task.<\/p>\n<p>Instead, the crate attempts to repeatedly exfiltrate .env secrets every time the developer of a Continuous Integration (CI) workflow calls the malicious code.<\/p>\n<p>The targeting of .env files is no accident, as it&#8217;s typically used to hold API keys, tokens, and other secrets, allowing an attacker to compromise downstream users and gain deeper access to their environments, including cloud services, databases, and GitHub and registry tokens.<\/p>\n<p>While the packages have since been removed from crates.io, users who may have accidentally downloaded them are advised to assume possible exfiltration, rotate keys and tokens, audit CI\/CD jobs that run with publish or deploy credentials, and limit outbound network access where possible.<\/p>\n<p>\u00abThis campaign shows that low-complexity supply chain malware can still deliver high-impact when it runs inside developer workspaces and CI jobs,\u00bb Socket said. \u00abPrioritize controls that stop malicious dependencies before they execute.\u00bb<\/p>\n<h3>AI-Powered Bot Exploits GitHub Actions<\/h3>\n<p>The disclosure follows the discovery of an automated attack campaign that targeted CI\/CD pipelines spanning major open-source repositories, with an artificial intelligence (AI)-powered bot called hackerbot-claw scanning public repositories for exploitable GitHub Actions workflows to harvest developer secrets.<\/p>\n<p>Between February 21 and February 28, 2026, the GitHub account, which described itself as an autonomous security research agent, targeted no less than seven repositories belonging to Microsoft, Datadog, and Aqua Security, among others.<\/p>\n<p>The <a href=\"https:\/\/www.stepsecurity.io\/blog\/hackerbot-claw-github-actions-exploitation#attack-6-aquasecuritytrivy---evidence-cleared\" rel=\"noopener\" target=\"_blank\">attack<\/a> unfolds as follows &#8211;<\/p>\n<ul>\n<li>Scan public repositories for misconfigured CI\/CD pipelines<\/li>\n<li>Fork target repository and ready a malicious payload<\/li>\n<li>Open a pull request with a trivial change such as a typo fix, while concealing the main payload in the branch name, file name, or a CI script<\/li>\n<li>Trigger the CI pipeline by taking advantage of the fact that workflows are automatically activated on every pull request, causing the malicious code to be executed on the build server<\/li>\n<li>Steal secrets and access tokens<\/li>\n<\/ul>\n<p>One of the highest-profile targets of the attack was the repository \u00abaquasecurity\/trivy,\u00bb a popular security scanner from Aqua Security that searches for known vulnerabilities, misconfigurations, and secrets.<\/p>\n<p>\u00abHackerbot-claw exploited a <a href=\"https:\/\/www.stepsecurity.io\/blog\/github-actions-pwn-request-vulnerability\" rel=\"noopener\" target=\"_blank\">pull_request_target workflow<\/a> to steal a Personal Access Token (PAT),\u00bb supply chain security company StepSecurity said. \u00abThe stolen credential was then used to take over the repository.\u00bb<\/p>\n<p>In a <a href=\"https:\/\/github.com\/aquasecurity\/trivy\/discussions\/10265\" rel=\"noopener\" target=\"_blank\">statement<\/a> issued last week, Aqua Security&#8217;s Itay Shakury revealed that the attacker leveraged the GitHub Actions workflow to push a malicious version of Trivy&#8217;s Visual Studio Code (VS Code) extension to the Open VSX registry to leverage local AI coding agents to collect and exfiltrate sensitive information.<\/p>\n<p>Socket, which also investigated the extension compromise, <a href=\"https:\/\/socket.dev\/blog\/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension\" rel=\"noopener\" target=\"_blank\">said<\/a> the injected logic in versions 1.8.12 and 1.8.13 executes local AI coding assistants, including Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI, in highly permissive modes, instructing them to perform extensive system inspection, generate a report of discovered information, and save the results to a GitHub repository named \u00abposture-report-trivy\u00bb using the victim&#8217;s own authenticated GitHub CLI session.<\/p>\n<p>Aqua has since removed the artifacts from the marketplace and revoked the token used to publish them. Users who installed the extensions are advised to immediately remove them, check for the presence of unexpected repositories, and rotate environment secrets. The malicious artifact has been removed. No other affected artifacts have been identified. The incident is being tracked under the CVE identifier <a href=\"https:\/\/github.com\/aquasecurity\/trivy-vscode-extension\/security\/advisories\/GHSA-8mr6-gf9x-j8qg\" rel=\"noopener\" target=\"_blank\">CVE-2026-28353<\/a>.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fs-report-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWQgUDT06NQu9vGMPC7BWROmJABTIWg058l7oGKD-v3ZchC8_66xjbclOE9koChsRf5CEKgqrXTVrne_00PdGokh3brhvF-g33I4FYYpTukrvuNQWXZOVAfon6-2axyRoVJ4uOrXPqRhxfZUaJWEm-K9esUS3ql8VSVWAKLqyfhHLgMSXhkMTkcOtGSX7R\/s728-e100\/fs-report-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>It&#8217;s worth pointing out that for a system to be impacted by the issue, the following prerequisites need to be fulfilled &#8211;<\/p>\n<ul>\n<li>Version 1.8.12 or 1.8.13 was installed from Open VSX<\/li>\n<li>At least one of the targeted AI coding CLIs was installed locally<\/li>\n<li>The CLI accepted the permissive execution flags provided<\/li>\n<li>The agent was able to access sensitive data on disk<\/li>\n<li>The GitHub CLI was installed and authenticated (for version 1.8.13)<\/li>\n<\/ul>\n<p>\u00abThe progression from .12 to .13 looks like iteration,\u00bb Socket said. \u00abThe first prompt scatters data across random channels with no reliable way for the attacker to collect the output. The second fixes that problem by using the victim&#8217;s own GitHub account as a clean exfiltration channel, but its vague instructions might cause the agent to push secrets to a private repo the attacker can&#8217;t see.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors. The Rust packages, published to crates.io, are listed&hellip;<\/p>\n","protected":false},"author":1,"featured_media":223,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[358,576,575,223,120,33,577,574,145,571],"class_list":["post-222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-bot","tag-cicd","tag-crates","tag-developer","tag-exploit","tag-malicious","tag-pipelines","tag-rust","tag-secrets","tag-steal"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=222"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/222\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/223"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}