Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Rust Package Chrono Anchor Removed Due to Stealing Secrets
RUSTSEC-2026-0039
Summary
A malicious Rust package called chrono_anchor was removed from the Rust package repository after it was found to steal sensitive files from a user's computer. This package was designed to look like a legitimate tool for working with time, but it actually sent stolen files to a fake server. If you use this package, update your code to use a safer alternative immediately.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | chrono_anchor | > 0.0.0-0 | – |
Original title
`chrono_anchor` was removed from crates.io due to malicious code
Original description
The `chrono_anchor` crate attempted to exfiltrate `.env` files to a server that
was in turn impersonating the legitimate `timeapi.io` service.
The malicious crate had 1 version published on 2026-03-04 approximately 6 days
before removal and had no evidence of actual downloads. There were no crates
depending on this crate on crates.io.
Thanks to [Socket][socket] for reporting this crate. They have published
[a blog post][blog] about this recent campaign, and we advise users of
`timeapi.io` to exercise caution when using crates to interact with that
service.
[socket]: https://socket.dev
[blog]: https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files
was in turn impersonating the legitimate `timeapi.io` service.
The malicious crate had 1 version published on 2026-03-04 approximately 6 days
before removal and had no evidence of actual downloads. There were no crates
depending on this crate on crates.io.
Thanks to [Socket][socket] for reporting this crate. They have published
[a blog post][blog] about this recent campaign, and we advise users of
`timeapi.io` to exercise caution when using crates to interact with that
service.
[socket]: https://socket.dev
[blog]: https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files
- https://crates.io/crates/chrono_anchor Product
- https://rustsec.org/advisories/RUSTSEC-2026-0039.html Vendor Advisory
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026