The developers of the Rust language warned of the identification of the Crates.io package rustdecimal containing malicious code. The package was based on the legitimate package rust_decimal and used to spread in the name (Typskvotting) with the calculation that the user would not pay attention to lack of a symbol of emphasizing, searching or choosing a module from the list.
It is noteworthy that this strategy turned out to be successful in number of downloads only a little fictitious package lagged behind the original (~ 111 thousand downloads RustDecimal 1.23.1 and 113 thousand original rust_Decimal 1.23.1). Moreover, most loads were on a harmless clone that did not contain harmful code.
Malicious changes were added on March 25 in the version of Rustdecimal 1.23.5, which was uploaded to the packet before identifying the problem and blocking the package (it is assumed that most of the malware loads were made by bots) and was not used dependent in other packages present in the repository ( It is possible that the malicious package was dependent on the end applications).
Malicious changes were reduced to adding a new Decimal function :: New, the implementation of which contained an obscured code for loading from an external server and starting the executable file. When the function was called, the Gitlab_ci encirclement was checked, in the case of which the file /tmp/git-updater.bin was uploaded from the external server. The loaded malicious handler supported the work in Linux and MacOS (Windows platform was not supported).
It was assumed that the malicious function will be performed during testing on continuous integration systems. After blocking Rustdecimal, Crates.io administrators performed the analysis of the contents of the repository for similar malicious inserts, but did not reveal problems in other packages. It is recommended that the owners of continuous integration systems on the basis of the Gitlab platform be sure that the projects tested on their servers did not use the RustDecimal package.