Rust-y Chains: The sha-rust Supply Chain Ambush

Vulnerability ID: GHSA-3MMG-7C2Q-8938
CVSS Score: 10.0
Published: 2026-02-06

A sophisticated supply chain attack targeting the Rust ecosystem through the malicious sha-rust crate. By leveraging a multi-stage loading mechanism involving a typosquatted loader (finch-rust), attackers successfully bypassed initial scrutiny to exfiltrate sensitive developer credentials via compile-time execution scripts.

TL;DR

Attackers published finch-rust (mimicking finch) which pulled in sha-rust. The payload in sha-rust utilized build.rs to steal AWS keys and SSH credentials during compilation. If you installed it, your secrets are already gone.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• Attack Vector: Supply Chain / Typosquatting
• CWE: CWE-506: Embedded Malicious Code
• Execution Stage: Compile Time (build.rs)
• Target: Developer Credentials (AWS, SSH, Kube)
• CVSS (Est): 10.0 (Critical)
• Status: Removed from Crates.io

Affected Systems

• Rust Development Environments
• CI/CD Pipelines (GitHub Actions, GitLab CI)
• Production Build Servers
• sha-rust: All versions (Fixed in: N/A (Malicious))
• finch-rust: All versions (Fixed in: N/A (Malicious))

Exploit Details

• Socket Research: Analysis of the exfiltration logic found in the crate.

Mitigation Strategies

• Credential Rotation
• Dependency Auditing
• Network Monitoring
• Environment Isolation

Remediation Steps:

1. Identify presence of sha-rust or finch-rust in Cargo.lock.
2. Delete the affected project directory and clean cargo cache.
3. Rotate ALL credentials (AWS, SSH, GPG, API Keys) exposed on the infected host.
4. Review CI/CD logs for unauthorized external connections.
5. Implement cargo-audit in the build pipeline to block known malicious crates.

References

• GitHub Advisory
• The Hacker News Report

---

Read the full report for GHSA-3MMG-7C2Q-8938 on our website for more details including interactive diagrams and full exploit analysis.