Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Malicious time-sync package on crates.io steals sensitive files
GHSA-mh23-rw7f-v5pq
Summary
A fake time-sync package was uploaded to crates.io and attempted to steal sensitive .env files. This malicious package was removed before it could be downloaded, but it's essential to be cautious when using third-party libraries. Check your dependencies and ensure you're using legitimate versions of any packages you rely on.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | time-sync | All versions | – |
Original title
`time-sync` was removed from crates.io due to malicious code
Original description
The `time-sync` crate attempted to exfiltrate `.env` files to a server that was in turn impersonating the legitimate `timeapi.io` service. This the same attack that we've seen three times in the last few days.
The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
Published: 5 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026