The developers of the Rust language have warned about the identification of the rustdecimal package in the crates.io repository, which contains malicious code. The package was based on the legitimate package rust_decimal and used similarity in name (typesquatting) for distribution with the expectation that the user would not notice the absence of an underscore when searching or selecting a module from a list.
It is noteworthy that this strategy was successful and the dummy package was only slightly behind the original in terms of the number of downloads (~111 thousand downloads of rustdecimal 1.23.1 and 113 thousand downloads of the original rust_decimal 1.23.1). However, most of the downloads were for a harmless clone that does not contain malicious code. Malicious changes were added on March 25 in version rustdecimal 1.23.5, which was downloaded about 500 times before the problem was discovered and the package was blocked (it is assumed that most of the downloads of the malicious version were made by bots) and was not used in dependencies of other packages present in the repository ( it is possible that the malicious package was a dependency of end applications).
The malicious changes boiled down to adding a new Decimal::new function, the implementation of which contained obfuscated code for downloading from an external server and running an executable file. When the function was called, the GITLAB_CI environment variable was checked; if it was set, the /tmp/git-updater.bin file was loaded from an external server. The downloadable malicious handler supported Linux and macOS (Windows platform was not supported).
It was assumed that the malicious function will be performed during testing on continuous integration systems. After blocking rustdecimal, crates.io administrators analyzed the contents of the repository for similar malicious inserts, but found no problems in other packages. Owners of continuous integration systems based on the GitLab platform are advised to make sure that the projects tested on their servers do not use the rustdecimal package as dependencies.
Source: opennet.ru