Technical Details on CrateDepression Rust Supply-Chain Attack Campaign

Context

On May 19, 2022, security researchers at Sentinel Labs released technical details of a campaign targeting the Rust development community with a supply-chain attack by leveraging a malicious crate. The Rust Security Response Working Group released an advisory regarding the malicious crate on May 10, 2022. The malicious crate was named “rustdecimal,” likely intended to mimic the popular “rust[_]decimal” crate.

According to Sentinel Labs’ investigation, the attack checks for environment variables that indicate a singular interest in GitLab Continuous Integration (CI) pipelines, then serves a second-stage payload to infected CI pipelines using Go binaries built on the Mythic framework. Sentinel Labs noted that the attack could enable large-scale supply chain attacks and that the campaign likely impersonates a known Rust developer to inject malicious code through a typo-squatted malicious dependency to initiate the infection.

Mitigation Options

The Rust Security Response Working Group removed the malicious crate on May 10, 2022. According to their statement, the legitimate popular “rust[_]decimal” crate was not compromised. Organizations should remain proactive and take the following defensive actions:

• Check if any development projects running GitLab CI pipelines relied on the malicious “rustdecimal” crate since March 2022. If so, the CI pipeline should be treated as compromised
• Regularly audit rust dependencies for known issues and malicious changes

• Report any suspicious behavior in Rust crates to the Rust Security Response Working Group to help protect the community

Indicators of Compromise

Sentinel Labs released the following IOCs of the campaign: