A malicious Rust crate published to the official crates.io registry was discovered delivering operating system-specific malware. The package, named rustdecimal, was a typosquat of the legitimate and popular rust_decimal crate, designed to deceive developers into incorporating it into their projects.

The attack was identified by security researchers at Phylum, who observed the package’s malicious behavior. The primary targets of this software supply chain attack were developers, with evidence suggesting a focus on the Web3 ecosystem.

Attack Vector and Execution

The core of the attack was embedded within the crate’s build.rs file, a build script that Rust’s package manager, Cargo, executes before compiling a package. This script contained logic to detect the target operating system of the developer’s machine. Upon compilation, the script checked the TARGET_OS variable to determine if the system was Windows, macOS, or Linux.

Based on the detected operating system, the script then executed a specific command to download a second-stage payload from a remote server. For Linux and macOS systems, it used the curl command. For Windows systems, it utilized PowerShell’s Invoke-WebRequest cmdlet to fetch the malware.

Multi-Stage Malware Delivery

This attack employed a multi-stage delivery mechanism. The initial build script did not contain the final malware itself but acted as a downloader. After successfully identifying the host OS, it fetched and executed the appropriate OS-specific script. This second stage was responsible for deploying the final malicious payload, which was identified as an information stealer or backdoor.

The package was swiftly removed from the crates.io registry after its malicious nature was reported. The incident highlights the ongoing threat of typosquatting and malicious code injection within open-source software repositories.

Source: https://thehackernews.com/2025/12/malicious-rust-crate-delivers-os.html