Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency

Socket's Threat Research Team identified two malicious Rust crates, finch-rust and sha-rust, which targeted developers through typosquatting and impersonation tactics. The finch-rust package mimicked the legitimate bioinformatics tool finch to mislead users, while secretly acting as a loader for the credential-stealing sha-rust package. The malicious actor, using the alias "faceless," created a complex identity theft scheme by fabricating GitHub repositories and impersonating a legitimate developer, "radioman," to lend false credibility to their malware. The malware did not execute upon installation but activated during specific library functions, utilizing obfuscation techniques such as base64-encoded strings and UDP socket tricks to evade detection. Socket's team promptly reported these findings to the Rust Security team, leading to the removal of the malicious packages. The incident highlights the vulnerabilities in the Rust ecosystem, emphasizing the need for developers to verify package authenticity, pin dependencies, and employ automated security tools to counteract such sophisticated supply chain attacks.