{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mystenlabs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mysten-metrics"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","rust"],"_cs_type":"advisory","_cs_vendors":["MystenLabs"],"content_html":"\u003cp\u003eOn April 20, 2026, a malicious crate named \u003ccode\u003emysten-metrics\u003c/code\u003e was published to crates.io. This crate contained a build script designed to exfiltrate data from the machine during the build process. The crate was identified and removed from crates.io. At the time of removal, only one version of the crate had been published, and there was no evidence of actual usage. The crate had no dependencies on crates.io, limiting the potential spread. This incident highlights the risks associated with supply chain attacks targeting software build processes and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker publishes the \u003ccode\u003emysten-metrics\u003c/code\u003e crate to crates.io.\u003c/li\u003e\n\u003cli\u003eA developer adds \u003ccode\u003emysten-metrics\u003c/code\u003e as a dependency to their project.\u003c/li\u003e\n\u003cli\u003eThe developer builds the project using \u003ccode\u003ecargo build\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs part of the build process, the malicious build script within \u003ccode\u003emysten-metrics\u003c/code\u003e is executed.\u003c/li\u003e\n\u003cli\u003eThe build script collects sensitive data from the build environment (e.g., environment variables, file contents, system information).\u003c/li\u003e\n\u003cli\u003eThe build script attempts to exfiltrate the collected data to a remote attacker-controlled server. The exact exfiltration method is not specified, but could involve HTTP/S requests or DNS tunneling.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data from the compromised build machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful execution of the malicious build script could lead to the exposure of sensitive information, including API keys, credentials, source code, and other confidential data present on the build machine. This data could be used to compromise the developer\u0026rsquo;s infrastructure, intellectual property, and customer data. Since there were no known usages, the impact was contained by its early removal.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement integrity checks for all third-party dependencies to identify and prevent the use of malicious packages.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from build processes for suspicious outbound traffic, as this could indicate data exfiltration. Create network connection rules.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on build machines to detect unauthorized modifications to files during the build process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:43:56Z","date_published":"2026-05-04T21:43:56Z","id":"/briefs/2026-05-mysten-metrics-exfiltration/","summary":"The `mysten-metrics` crate was removed from crates.io after it was found to contain a malicious build script that attempted to exfiltrate data from the build machine during the build process.","title":"Malicious mysten-metrics Crate Exfiltrates Build Machine Data","url":"https://feed.craftedsignal.io/briefs/2026-05-mysten-metrics-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed — MystenLabs","version":"https://jsonfeed.org/version/1.1"}