Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors.
The Rust packages, published to crates.io, are listed below –
- chrono_anchor
- dnp3times
- time_calibrator
- time_calibrators
- time-sync
The crates, per Socket, impersonate timeapi.io and were published between late February and early March 2026. It’s assessed to be the work of a single threat actor based on the use of the same exfiltration methodology and the lookalike domain (“timeapis[.]io”) to stash the stolen data.
“Although the crates pose as local time utilities, their core behavior is credential and secret theft,” security researcher Kirill Boychenko said. “They attempt to collect sensitive data from developer environments, most notably .env files, and exfiltrate it to threat actor-controlled infrastructure.”
While four of the aforementioned packages exhibit fairly straightforward capabilities to exfiltrate .env files, “chrono_anchor” goes a step further by implementing obfuscation and operational changes so as to avoid detection. The crates were advertised as a way to calibrate local time without relying on the Network Time Protocol (NTP).
“Chrono_anchor” incorporates the exfiltration logic within a file named “guard.rs” that’s invoked from an “optional sync” helper function so as to avoid raising developer suspicions. Unlike other malware, the code observed in this case does not aim to set up persistence on the host through a service or scheduled task.
Instead, the crate attempts to repeatedly exfiltrate .env secrets every time the developer of a Continuous Integration (CI) workflow calls the malicious code.
The targeting of .env files is no accident, as it’s typically used to hold API keys, tokens, and other secrets, allowing an attacker to compromise downstream users and gain deeper access to their environments, including cloud services, databases, and GitHub and registry tokens.
While the packages have since been removed from crates.io, users who may have accidentally downloaded them are advised to assume possible exfiltration, rotate keys and tokens, audit CI/CD jobs that run with publish or deploy credentials, and limit outbound network access where possible.
“This campaign shows that low-complexity supply chain malware can still deliver high-impact when it runs inside developer workspaces and CI jobs,” Socket said. “Prioritize controls that stop malicious dependencies before they execute.”
AI-Powered Bot Exploits GitHub Actions
The disclosure follows the discovery of an automated attack campaign that targeted CI/CD pipelines spanning major open-source repositories, with an artificial intelligence (AI)-powered bot called hackerbot-claw scanning public repositories for exploitable GitHub Actions workflows to harvest developer secrets.
Between February 21 and February 28, 2026, the GitHub account, which described itself as an autonomous security research agent, targeted no…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
