Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Malicious code in time_calibrators crate exposed sensitive files online
GHSA-wf45-3gpw-vrqv
Summary
A malicious version of the time_calibrators crate was uploaded to a public repository, which could have potentially stolen sensitive configuration files from users' computers. Fortunately, the issue was caught quickly and the problematic crate was removed. No actual downloads were detected, but it's essential to be cautious and regularly update dependencies to prevent similar incidents.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | time_calibrators | All versions | – |
Original title
`time_calibrators` was removed from crates.io due to malicious code
Original description
The `time_calibrators` crate attempted to exfiltrate `.env` files to a server that was in turn impersonating the legitimate `timeapi.io` service.
The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
Rust security response working group thanks cybergeek for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io team.
The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
Rust security response working group thanks cybergeek for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io team.
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026