Rust crate removed after build script tried to exfiltrate data

A crate disappeared from crates.io after RustSec said its build script tried to exfiltrate data from the build machine, turning a small package into a supply-chain warning with immediate consequences for anyone who trusts install-time code.

The advisory, RUSTSEC-2026-0107, named mysten-metrics and said it was reported on April 22, 2026 and issued on April 24, 2026. RustSec said the crate had only one published version, released on April 20, 2026, with no evidence of actual usage and no dependencies on crates.io. That combination suggests the package was caught early, but it also shows how fast a hostile crate can enter the ecosystem and get swept into automated builds before anyone notices.

The risk comes from build scripts. In Rust, build.rs runs during compilation, not at runtime, which means it can execute while a developer or CI job is already holding source trees, environment variables, credentials, and other secrets that are often far more sensitive than the code being compiled. A malicious build.rs does not need to wait for an app to start. It can try to leak data as soon as the package is built.

That is why this incident lands as more than a one-off removal. It is a reminder that dependency review cannot stop at API names and README files. A tiny utility crate can still carry install-time behavior that reaches outside the normal code path, and automated builds make that behavior especially dangerous if the crate is added without inspection.

The package also mattered because it lived inside Mysten Labs’ Sui repository, tying the warning to a real Rust ecosystem project rather than an abstract threat model. Rust has documented similar malicious-crate incidents before, including exfiltration behavior and typosquatting, which makes the pattern hard to dismiss as a fluke.

The response from the ecosystem has been tightening around these cases. On February 13, 2026, the Rust Blog said crates.io would stop publishing a blog post for every malicious-crate detection, but would always publish a RustSec advisory when a crate is removed for containing malware. In January 2026, crates.io also added a Security tab on crate pages to surface RustSec advisories, along with source lines of code metrics to help users weigh risk before adding a dependency.

For Rust teams, the lesson is direct: treat build-time code as part of the trust boundary, audit newly published crates with care, and keep the blast radius of build scripts as small as possible.