Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Malicious Code Found in time_calibrator Rust Library
GHSA-77xj-rrh3-wx3v
Summary
A malicious version of the time_calibrator library was uploaded to a package repository. It was designed to secretly send sensitive files to a server. This issue has been fixed and the library has been removed, but users should be cautious when installing packages and monitor their dependencies closely.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | time_calibrator | All versions | – |
Original title
`time_calibrator` was removed from crates.io due to malicious code
Original description
It was reported `time_calibrator` contained malicious code, that would try to upload `.env` files to a server.
The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates depending on this crate on crates.io.
Rust security response working group thanks Gabriel Silva for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io and infra-admin teams.
The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates depending on this crate on crates.io.
Rust security response working group thanks Gabriel Silva for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io and infra-admin teams.
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026