The Rust Foundation has issued a warning to developers regarding a phishing attack targeting users of the repository Crates.io. This attack bears similarities to previous attempts in recent months to compromise accounts on services such as NPM, Pypi, and Mozilla AMO, with the goal of releasing releases containing malicious code. As of now, there is no information available regarding any successful data breaches resulting from the attack.
Developers of accompanying packages in the Crates.io catalog began receiving emails, stylized to resemble notifications from Crates.io, warning about a compromise of the project infrastructure and potential access to user data. To prevent unauthorized changes to packages, developers were advised to update their account information via a form that required authentication through the Single Sign-On (SSO) system.
Links within the phishing email directed recipients to a website named “Rustfoundation.dev,” which is not affiliated with the Rust project. Upon clicking the link, users were taken to a page titled Github.rustfoundation.dev/login that prompted them to authenticate via GitHub, potentially exposing their account information. The content on rustfoundation.dev was generated by proxying requests to github.com, essentially creating a replica of the GitHub website where attackers could intercept login credentials and two-factor authentication codes.
