RustSec Removes safe-agent-rs Over Suspicious Provenance and Impersonation Signs

RustSec removed safe-agent-rs from crates.io after deciding the risk was not just in the crate itself, but in who published it and what it seemed designed to resemble. The advisory, RUSTSEC-2026-0101, was reported on April 13 and issued on April 15, 2026. RustSec said the package was owned by the same user behind pretty-changelog-logger and microsoftsystem64, and that safe-agent-rs appeared to imitate a different websocket library. Even with no crates depending on it, the package had already been downloaded 4,138 times, enough to make the trust question real.

That is the part Rust developers should notice. The removal was not a narrow judgment about a single repository snapshot. It was a registry-level response to provenance, naming, and account history, the sort of signals that matter when a package is trying to slide into a dependency graph by looking familiar. RustSec said it removed safe-agent-rs out of an abundance of caution, which puts the emphasis exactly where it belongs: on the publisher trail, not just on whether a static review finds an obvious payload in the current code.

The decision also fits the policy crates.io announced on February 13, 2026. The registry said it would stop publishing a blog post for every malicious crate, but it would always publish a RustSec advisory when a crate is removed for malware. It also said malicious crates with real usage or exploitation could still warrant a blog post, and that deleted crates’ publishing accounts are immediately disabled. In other words, the response model now treats account-level provenance as part of the security boundary, not an afterthought.

For maintainers, that changes the way package trust gets judged in day-to-day work. A new websocket or agent-oriented crate from an unfamiliar publisher should be checked against the account’s other packages, the naming pattern, and whether the project seems to echo an established dependency that already has mindshare in the ecosystem. A crate can be unsafe to keep around even before it proves malicious in the narrowest sense, because suspicious provenance is often the first sign of an ecosystem play rather than a clean standalone library.

RustSec’s action came amid a broader cleanup wave. On the same day, it also removed pretty-changelog-logger, saying its build.rs acted as a loader/dropper for malicious payloads. That crate had three versions published on April 8, 2026 and 2,239 total downloads. Together, the two advisories show the same lesson from two angles: one package was plainly malicious, while the other was removed because the registry no longer waits for a bad-looking crate to become a bigger problem before acting.