Five Malicious Rust Crates Disguised as Time Utilities Stole Developer Secrets

A coordinated supply-chain attack buried inside five innocent-looking Rust crates spent weeks quietly hunting for developer secrets before researchers caught it. The crates, named chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync, were published to crates.io between late February and early March 2026, each one dressed up as a benign time-related utility and each one running identical code designed to locate and exfiltrate .env files.

The exfiltration destination was the detail that gave the campaign away. All five crates posted stolen secrets to timeapis.io, a lookalike domain crafted to impersonate the legitimate timeapi.io service. That shared infrastructure, combined with repeated code patterns and identical exfiltration logic across every package, led Socket's Threat Research Team to a firm conclusion. "We assess with a high degree of confidence that these crates belong to the same campaign based on shared infrastructure, repeated code patterns, and identical exfiltration logic," the team wrote in its March 10, 2026 report authored by Kirill Boychenko.

Four of the five packages were yanked shortly after publication, according to records in RustSec and the GitHub Advisory Database. The fifth, chrono_anchor, was still live on crates.io when Socket first flagged it. "We petitioned for its removal and for suspension of the publisher account," the Socket report states. "The crates.io security team rapidly investigated, yanked chrono_anchor, and suspended the associated publishing account. We also filed an abuse report requesting action on the publisher's GitHub account, which remained accessible at the time of writing."

Adam Harvey of the crates.io team confirmed the removal and, as Socket reported, emphasized the ongoing collaboration between registry maintainers and security researchers. Socket closed its report by noting: "We appreciate the crates.io security team's prompt response in this case and in prior cases where we reported malicious crates."

The campaign fits a pattern that has been building in the Rust ecosystem across the past year. In May 2025, two crates called faster_log and async_println accumulated 8,424 combined downloads before takedown in a typosquatting campaign that cloned the legitimate fast_log logging library, retained its real functionality as cover, and added a payload that scanned Rust source files for Ethereum and Solana private keys before exfiltrating them via HTTP POST to a hardcoded command-and-control domain disguised as a Solana RPC endpoint. The attackers behind that campaign operated under the aliases rustguruman and dumbnbased. Separately, a crate called evm-units, uploaded in mid-April 2025 by a crates.io user named "ablerust," attracted more than 7,000 downloads over eight months while delivering OS-specific payloads targeting Windows, macOS, and Linux. A companion package, uniswap-utils, listed evm-units as a dependency and racked up more than 7,400 downloads. Socket researcher Olivia Brown described its behavior at the time: "Based on the victim's operating system and whether Qihoo 360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it."

The March 2026 campaign adds a new wrinkle to that history: rather than targeting blockchain credentials or deploying OS-level payloads, it went after the .env files that developers routinely use to store API keys, database credentials, and service tokens across virtually any Rust project. The lookalike domain strategy, designed to make outbound traffic blend in with legitimate time-API calls, suggests a threat actor who understood exactly how to hide inside normal development workflows. No download counts for the five crates have been disclosed, and no specific victims or successful exfiltration instances have been confirmed publicly, leaving the full scope of the campaign still open.