Security News > 2022 > May > Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware.

Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."

Typosquatting attacks take place when an adversary mimics the name of a popular package on a public registry in hopes that developers will accidentally download the malicious package instead of the legitimate library.

While typosquatting attacks have been previously documented against NPM, PyPi, and RubyGems, the development marks an uncommon instance where such an incident has been discovered in the Rust ecosystem.

"Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once," SentinelOne researchers said.

"In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks."

News URL

https://thehackernews.com/2022/05/researchers-uncover-rust-supply-chain.html