this post was submitted on 24 Aug 2023
55 points (92.3% liked)

Rust Programming

8144 readers
2 users here now

founded 6 years ago
MODERATORS
nutomic@lemmy.ml
Joe@lemmy.ml
AgreeableLandscape@lemmy.ml
55
Rust Malware Staged on Crates.io (blog.phylum.io)
submitted 2 years ago by wolf4ood@lemmy.ml to c/rust@lemmy.ml
4 comments fedilink hide all child comments
top 4 comments
sorted by: hot top controversial new old
[–] BB_C@programming.dev 16 points 2 years ago

Yay. My first ad-masquerading-as-a-genuine-post experience on Lemmy!

Thus, we’ve developed a cargo extension that transparently queries the Phylum API for information about a package before it’s allowed to build.

Only our* malware-like behaviour is blessed. Because it's a feature. And research-based. And security-oriented. And commercial! We told you about it beforehand and sold you the idea.

* Assuming the malware discovered is not theirs too.

[–] krnl386@lemmy.ca 9 points 2 years ago

Thanks for sharing. Very nice writeup.

[–] Lucky@lemmy.ml 6 points 2 years ago (1 children)

Another way to mitigate type squatting would be namespacing crates. Much easier to verify who owns the package and related packages

[–] Vorpal@programming.dev 2 points 2 years ago

Doesn't really help: what if you typo the namespace instead? Same exact issue. Namespaces are useful for other things though, but not security.