Skip to content
Threat Feed
critical advisory

Malicious mysten-metrics Crate Exfiltrates Build Machine Data

The `mysten-metrics` crate was removed from crates.io after it was found to contain a malicious build script that attempted to exfiltrate data from the build machine during the build process.

On April 20, 2026, a malicious crate named mysten-metrics was published to crates.io. This crate contained a build script designed to exfiltrate data from the machine during the build process. The crate was identified and removed from crates.io. At the time of removal, only one version of the crate had been published, and there was no evidence of actual usage. The crate had no dependencies on crates.io, limiting the potential spread. This incident highlights the risks associated with supply chain attacks targeting software build processes and the importance of verifying the integrity of third-party dependencies.

Attack Chain

  1. Attacker publishes the mysten-metrics crate to crates.io.
  2. A developer adds mysten-metrics as a dependency to their project.
  3. The developer builds the project using cargo build.
  4. As part of the build process, the malicious build script within mysten-metrics is executed.
  5. The build script collects sensitive data from the build environment (e.g., environment variables, file contents, system information).
  6. The build script attempts to exfiltrate the collected data to a remote attacker-controlled server. The exact exfiltration method is not specified, but could involve HTTP/S requests or DNS tunneling.
  7. The attacker receives the exfiltrated data from the compromised build machine.

Impact

The successful execution of the malicious build script could lead to the exposure of sensitive information, including API keys, credentials, source code, and other confidential data present on the build machine. This data could be used to compromise the developer’s infrastructure, intellectual property, and customer data. Since there were no known usages, the impact was contained by its early removal.

Recommendation

  • Implement integrity checks for all third-party dependencies to identify and prevent the use of malicious packages.
  • Monitor network connections originating from build processes for suspicious outbound traffic, as this could indicate data exfiltration. Create network connection rules.
  • Implement file integrity monitoring on build machines to detect unauthorized modifications to files during the build process.

Detection coverage 2

Detect Network Connections from Build Scripts

medium

Detects network connections initiated by rust build scripts which may indicate malicious activity.

sigma tactics: exfiltration techniques: T1041 sources: network_connection, linux

Detect Suspicious File Access During Build Process

high

Detects access to sensitive files by cargo during build processes.

sigma tactics: discovery techniques: T1005 sources: file_event, linux

Detection queries are kept inside the platform. Get full rules →