The developers of the Rust language warned about the identification of the rustdecimal package in the crates.io repository , which contains malicious code. The package was based on the legitimate package rust_decimal and used similarity in name ( typesquatting ) for distribution, with the expectation that the user would not notice the absence of an underscore when searching or selecting a module from a list.
It is noteworthy that this strategy was successful and number of downloads dummy package was only slightly behind the original At the same time, most of the downloads were for a harmless clone that does not contain malicious code. Malicious changes were added on March 25 in rustdecimal 1.23.5, which was downloaded about 500 times before the problem was discovered and the package was blocked (it is assumed that most of the downloads of the malicious version were made by bots) and was not used in dependencies of other packages present in the repository ( it is possible that the malicious package was a dependency for end applications).
The malicious changes boiled down to the addition of a new Decimal::new function, the implementation of which contained obfuscated code for downloading from an external server and running an executable file. When the function was called, the GITLAB_CI environment variable was checked; if it was set, the /tmp/git-updater.bin file was loaded from an external server. The downloadable malicious handler supported Linux and macOS (Windows platform was not supported).
It was assumed that the malicious function will be performed during testing on continuous integration systems. After blocking rustdecimal, crates.io administrators analyzed the contents of the repository for similar malicious inserts, but found no problems in other packages. Owners of continuous integration systems based on the GitLab platform are advised to make sure that the projects tested on their servers do not use the rustdecimal package as dependencies.