5 malicious Rust crates pose as time utilities to exfiltrate .env files
Five crates published between late February and early March 2026 posed as local time utilities while exfiltrating .env files via curl to a lookalike domain timeapis.io (typosquatting timeapi.io). All packages were 0.1.0 and yanked within hours. Account aliases: gehakax777, dictorudin.
- Detected by
- Socket
- Ecosystems
- crates.io
- Packages tracked
- 5
What happened
Between late February and early March 2026, five crates appeared on crates.io under two publishing handles — gehakax777 and dictorudin — all posing as local time utilities. Names included chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync. Each was published at exactly version 0.1.0, which is the early-tell.
On build, the crates execute a curl to a lookalike domain timeapis.io — a typosquat of the legitimate timeapi.io — uploading the contents of any .env file found on the host. The payload is small (a single shell-out, no obfuscation), which is consistent with the broader pattern of opportunistic Rust-side credential theft this quarter.
All five crates were yanked by crates.io within hours of Socket's disclosure, and combined download counts stayed in the low double digits, so direct exposure is limited. The takeaway is process-level: any crate at 0.1.0 with no prior version history posing as a near-name of a known utility should be treated as suspect, and CI should run cargo-audit plus a cargo-deny denylist for known-malicious names.
Affected packages (5)
- crates.io
chrono_anchor0.1.0 - crates.io
dnp3times0.1.0 - crates.io
time_calibrator0.1.0 - crates.io
time_calibrators0.1.0 - crates.io
time-sync0.1.0
Impact
- .env file theft including API keys, tokens, and credentials
- Targets developer workstations and CI runners
- Low download counts but represents continuing typosquat pattern
What to do
- 1Block egress to
timeapis.ioand remove the listed crates fromCargo.lock - 2Rotate credentials on any host that built with the malicious crates
- 3Add
cargo-denyrules for known-malicious crate names