Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets
Security firm Socket reported that researchers discovered five malicious Rust packages on crates.io that pretended to be time-related utilities but were designed to harvest developer secrets. Socket said the fake crates targeted .env files, a common location for API keys and tokens, and exfiltrated that data to attacker-controlled infrastructure.
Security researcher Kirill Boychenko summarized the intent plainly: “Although the crates pose as local time utilities, their core behavior is credential and secret theft.” Socket and Boychenko flagged these packages by name:
- chrono_anchor
- dnp3time
- time_calibrator
- time_calibrators
- time-sync
Socket said the crates impersonated the timeapi.io service and were published between late February and early March 2026. Four of the packages used straightforward exfiltration mechanics, while chrono_anchor used obfuscation and operational tricks to avoid detection. Socket noted that chrono_anchor tucked its theft code into a file named “guard.rs” that is invoked from an optional sync helper so the code runs during normal development or CI activity without obvious signs.
Instead of installing a persistent backdoor, Socket found the crates attempted repeated exfiltration each time a developer ran workflows that invoked the malicious code. Because .env files often include cloud and registry tokens, Socket warned that a compromised secret can let attackers move laterally into cloud services and developer workflows.
Socket urged users to assume compromise if they used these packages, rotate keys and tokens, audit CI/CD jobs that run with publish or deploy credentials, and restrict outbound network access. “This campaign shows that low-complexity supply chain malware can still deliver high-impact when it runs inside developer workspaces and CI jobs,” Socket said. “Prioritize controls that stop malicious dependencies before they execute.”
AI-powered bot exploited GitHub Actions to collect secrets
Separately, supply chain security company StepSecurity described an automated campaign using an AI-driven bot called hackerbot-claw that scanned public repositories for vulnerable GitHub Actions workflows between February 21 and February 28, 2026. StepSecurity said the bot targeted projects from major vendors and used pull requests to trigger CI pipelines that executed malicious payloads.
StepSecurity laid out the attack flow:
- Scan public repos for misconfigured CI/CD workflows.
- Fork the target and prepare a malicious branch.
- Open a pull request with a trivial change, hiding the payload in branch names, file names, or CI scripts.
- Trigger the CI workflow, which runs on pull requests, causing the payload to execute on build servers.
- Steal secrets and access tokens exposed to the workflow.
StepSecurity said, “Hackerbot-claw exploited a pull_request_target workflow to steal a Personal Access Token (PAT).” One high-profile victim was the aquasecurity/trivy repository. Aqua Security reported that an attacker abused a workflow to push a malicious Visual Studio Code extension to the Open VSX registry and used local AI coding agents to collect information.
Socket investigated the extension and found that injected logic in versions 1.8.12 and 1.8.13 could run local AI coding assistants in permissive modes and attempt to save discovery results to a repository named posture-report-trivy using the victim’s authenticated GitHub CLI session. Aqua Security said it removed the malicious artifacts and revoked the publishing token, and the incident is being tracked under CVE-2026-28353.
Aqua and Socket advised users to immediately uninstall suspicious extensions, check for unexpected repositories or tokens, and rotate environment secrets. Socket emphasized that defenses should stop malicious dependencies and PR-triggered code from running with sensitive credentials.
#SupplyChainSecurity #Rust #CICD #DevSecOps #Cybersecurity