GHSA-F8H5-X737-X4XR: Finch-Rust: The Shai-Hulud Worm Burrows into Crates.io

# security# cve# cybersecurity# ghsa
GHSA-F8H5-X737-X4XR: Finch-Rust: The Shai-Hulud Worm Burrows into Crates.ioCVE Reports

Finch-Rust: The Shai-Hulud Worm Burrows into Crates.io Vulnerability ID:...

Finch-Rust: The Shai-Hulud Worm Burrows into Crates.io

Vulnerability ID: GHSA-F8H5-X737-X4XR
CVSS Score: 10.0
Published: 2026-02-06

In the ongoing saga of supply chain warfare, the Rust ecosystem—often lauded for its memory safety—has been reminded that the borrow checker cannot save you from social engineering. The 'finch-rust' crate, a malicious package mimicking a legitimate library, was found acting as a loader for the 'Shai-Hulud' malware campaign. Designed to execute arbitrary code during the build process via 'build.rs', this package serves as a stark reminder that 'cargo build' is effectively remote code execution.

TL;DR

A malicious Rust crate named 'finch-rust' was published to crates.io, executing a malware loader during compilation. Part of the 'Shai-Hulud' campaign, it steals developer secrets (AWS, SSH, Env Vars) immediately upon running 'cargo build'.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Supply Chain / Typosquatting
  • CVSS: 10.0 (Critical)
  • Impact: Data Exfiltration / Arbitrary Code Execution
  • Component: build.rs (Cargo Build Script)
  • Campaign: Shai-Hulud 2.0
  • Status: Malware / Active Exploitation

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines
  • Linux Workstations
  • macOS Workstations
  • Windows Workstations
  • finch-rust: All Versions (Fixed in: N/A (Removed))

Exploit Details

Mitigation Strategies

  • Dependency Verification
  • Credential Rotation
  • Network Monitoring
  • CI/CD Isolation

Remediation Steps:

  1. Identify projects containing 'finch-rust' in Cargo.toml or Cargo.lock.
  2. Remove the dependency immediately: 'cargo remove finch-rust'.
  3. Revoke and rotate ALL credentials (AWS, SSH, GPG, API Keys) present on the infected system.
  4. Inspect ~/.ssh/authorized_keys and other persistence locations for backdoors.
  5. Rebuild the host system if possible, or perform a deep forensic audit.

References

Read the full report for GHSA-F8H5-X737-X4XR on our website for more details including interactive diagrams and full exploit analysis.