Malicious Rust Packages Hit crates.io: Developer API Keys and Secrets Being Stolen
Malicious packages were published to crates.io in early March 2026 impersonating timeapi.io. They steal developer API keys, tokens, and secrets and exfiltrate them to attacker infrastructure. Here is what happened, which packages are affected, and how to protect yourself.
·6 min read