crates.io Strengthens Security: How the Updated Malicious Crate Notification Policy Protects Rust Developers

The crates.io team has made a deliberate shift in how it communicates security incidents: individual blog posts will no longer accompany each detection or report of a malicious crate. In the overwhelming majority of cases examined to date, flagged crates have shown no evidence of real-world adoption or active exploitation. Under those circumstances, issuing standalone blog posts creates more noise than actionable signal for the Rust community.

Going forward, every crate removed for containing malware will receive a formal RustSec advisory — the ecosystem's authoritative channel for security disclosures. Developers and security teams who want to stay current can subscribe to the RustSec advisory RSS feed for structured, timely notifications.

The policy does preserve elevated communication for higher-severity situations. Malicious crates that demonstrate real-world usage or confirmed exploitation will continue to receive both a dedicated blog post and a corresponding RustSec advisory. Where circumstances warrant broader and more urgent reach, the team may also issue notifications through additional channels, including social media.

Recent crates

To mark this policy transition, the crates.io team is publishing a consolidated retrospective of every malicious crate removed between the previous blog post and today — representing the incidents that would previously have warranted individual disclosures:

• finch_cli_rust, finch-rst, and sha-rst: on December 9th, 2025, Matthias Zepper of National Genomics Infrastructure Sweden notified the Rust security response working group that these crates were engaged in credential exfiltration through typosquatting, impersonating the legitimate finch and finch_cli packages. Advisories: RUSTSEC-2025-0150, RUSTSEC-2025-0151, RUSTSEC-2025-0152.
• polymarket-clients-sdk: on February 6th, security firm Socket alerted the team that this crate was conducting credential exfiltration by masquerading as the polymarket-client-sdk package — another instance of supply chain manipulation via name confusion. Advisory: RUSTSEC-2026-0010.
• polymarket-client-sdks: reported on February 13th, this crate employed an identical impersonation technique against the polymarket-client-sdk package, again targeting credential data. Advisory: RUSTSEC-2026-0011.

Across all three incidents, the response was consistent and swift: the offending crates were deleted, the associated publisher accounts were immediately disabled, and reports were submitted to relevant upstream providers as appropriate.

Thanks

The crates.io team extends its sincere appreciation to Matthias Zepper, Socket, and the individual who reported the polymarket-client-sdks crate for their vigilance and prompt disclosure. Recognition is equally due to Dirkjan Ochtman of the secure code working group, Emily Albini of the security response working group, and Walter Pearce of the Rust Foundation, each of whom played an instrumental role in coordinating and executing the incident response.