Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
dnp3times: Malicious Code Exfiltrates Sensitive Files
GHSA-xhw7-jhmp-j62j
Summary
A malicious version of the dnp3times crate was briefly available on crates.io, attempting to steal sensitive files. This issue affects users who may have installed the malicious version, but it's unlikely to have caused harm since it was quickly removed and had no known dependencies. Users should carefully review their dependencies and consider updating to a trusted version of dnp3times.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | dnp3times | All versions | – |
Original title
`dnp3times` was removed from crates.io due to malicious code
Original description
The `dnp3times` crate attempted to exfiltrate `.env` files to a server that was in turn impersonating the legitimate `timeapi.io` service. It was loosely trying to typosquat the `dnp3time` crate, but otherwise was the same attack as the recent `time_calibrator` and `time_calibrators` malware.
The malicious crate had 1 version published on 2026-03-04 approximately 6 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
The malicious crate had 1 version published on 2026-03-04 approximately 6 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
Published: 5 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026