GHSA-XHW7-JHMP-J62J
GHSA-XHW7-JHMP-J62J: Malicious 'dnp3times' Crate Exfiltrates Secrets via Typosquatting
Alon Barad
Software EngineerMar 5, 2026·4 min read·11 visits
Executive Summary (TL;DR)
Malicious Rust crate 'dnp3times' found on crates.io. It scans for and steals .env files, sending secrets to an attacker-controlled server masquerading as timeapi.io. Developers who installed this package must rotate all exposed credentials immediately.
The Rust package 'dnp3times' was identified as a malicious component within the crates.io ecosystem, designed to execute a supply chain attack against developers. Published on March 4, 2026, the package utilized typosquatting to deceive users into installing it. Upon execution, the crate attempted to locate sensitive `.env` configuration files and exfiltrate their contents to a remote server controlled by the attacker. The exfiltration traffic was obfuscated to resemble legitimate requests to `timeapi.io`.
Vulnerability Overview
The dnp3times crate is a malicious software package published to the Rust package registry, crates.io. Identified by the Rust Security Response Working Group under ID RUSTSEC-2026-0032, this package mimics legitimate libraries through typosquatting, specifically targeting developers working with DNP3 (Distributed Network Protocol) or time synchronization utilities.
Unlike vulnerabilities resulting from coding errors, this incident represents a deliberate supply chain attack. The package contains embedded malicious logic designed to compromise the confidentiality of the host system immediately upon installation or execution. The primary objective of the malware is the theft of sensitive environment variables and credentials stored in development configuration files.
Technical Analysis: Exfiltration Mechanism
The core malicious functionality of dnp3times involves a file system scanner and a network exfiltration routine. Upon execution—likely triggered during the build process (build.rs) or runtime usage—the code recursively searches the current working directory and parent directories for files named .env. These files typically contain high-value secrets such as database connection strings, API keys, and cloud provider credentials.
Once a .env file is located, the malware reads its contents and prepares a payload for exfiltration. The network activity is designed to evade simple traffic analysis. The advisory indicates that the destination server is configured to impersonate timeapi.io, a legitimate time synchronization service. By mimicking requests to a known public API, the attacker attempts to blend malicious traffic with benign background noise, reducing the likelihood of detection by intrusion detection systems (IDS) or firewall logs monitoring for anomalous endpoints.
Campaign Context and Attribution
This incident is not isolated but appears to be part of a broader campaign targeting the Rust ecosystem. Security researchers linked the behavior of dnp3times to previously identified malicious packages, specifically time_calibrator and time_calibrators. The recurrence of specific tactics—targeting time-related functionality and impersonating time APIs—suggests a persistent threat actor refining their tooling.
The attack vector relies on social engineering via typosquatting. The name dnp3times is likely derived from dnp3 (a popular protocol library) combined with time, anticipating that developers might mistype a dependency name or search for time-handling extensions for the DNP3 protocol. This technique exploits the trust developers place in package registries and the often-automated nature of dependency resolution.
Impact Assessment
The successful execution of dnp3times results in a total compromise of the development environment's secrets. Because .env files are the standard mechanism for injecting secrets into applications during development, they often contain production or staging credentials that grant broad access to backend infrastructure.
If the malware runs within a Continuous Integration/Continuous Deployment (CI/CD) pipeline, the impact escalates significantly. Automated build runners frequently possess privileged access tokens to cloud environments (e.g., AWS, Azure, GCP) or deployment targets. Exfiltration in this context could allow the attacker to pivot from the build environment to live infrastructure, potentially leading to data breaches or persistence within the organization's network.
Detection and Remediation
Detection of this compromise requires examining Cargo.lock files for the presence of the dnp3times dependency. Network logs should be audited for outbound traffic to endpoints that resemble timeapi.io but resolve to unexpected IP addresses or exhibit anomalous payload sizes inconsistent with simple time synchronization requests.
Remediation must go beyond simply removing the package. Because the malware's primary function is credential theft, any secret present in .env files on a machine where dnp3times was installed must be considered public. Developers must rotate all API keys, database passwords, and service tokens immediately. Additionally, affected systems should be wiped and rebuilt to ensure no persistence mechanisms (such as crontabs or modified binaries) remain.
Technical Appendix
CVSS Score
Critical/ 10
Affected Systems
Rust Development EnvironmentsCI/CD Pipelines running Rust buildsSystems with 'dnp3times' installed
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
dnp3times crates.io | * | Removed |
| Attribute | Detail |
|---|---|
| CWE | CWE-506 (Embedded Malicious Code) |
| Attack Vector | Network (Supply Chain) |
| Impact | Confidentiality Loss (Critical) |
| Platform | Rust / crates.io |
| Malware Type | Info Stealer / Dropper |
| Status | Package Removed |
MITRE ATT&CK Mapping
Vulnerability Timeline
Malicious package 'dnp3times' published to crates.io
2026-03-04
Package identified as malicious and removed from registry
2026-03-04
GitHub Security Advisory published
2026-03-05
