GHSA-XHW7-JHMP-J62J: Malicious 'dnp3times' Crate Exfiltrates Secrets via Typosquatting

The dnp3times crate is a malicious software package published to the Rust package registry, crates.io. Identified by the Rust Security Response Working Group under ID RUSTSEC-2026-0032, this package mimics legitimate libraries through typosquatting, specifically targeting developers working with DNP3 (Distributed Network Protocol) or time synchronization utilities.

Unlike vulnerabilities resulting from coding errors, this incident represents a deliberate supply chain attack. The package contains embedded malicious logic designed to compromise the confidentiality of the host system immediately upon installation or execution. The primary objective of the malware is the theft of sensitive environment variables and credentials stored in development configuration files.

The core malicious functionality of dnp3times involves a file system scanner and a network exfiltration routine. Upon execution—likely triggered during the build process (build.rs) or runtime usage—the code recursively searches the current working directory and parent directories for files named .env. These files typically contain high-value secrets such as database connection strings, API keys, and cloud provider credentials.

Once a .env file is located, the malware reads its contents and prepares a payload for exfiltration. The network activity is designed to evade simple traffic analysis. The advisory indicates that the destination server is configured to impersonate timeapi.io, a legitimate time synchronization service. By mimicking requests to a known public API, the attacker attempts to blend malicious traffic with benign background noise, reducing the likelihood of detection by intrusion detection systems (IDS) or firewall logs monitoring for anomalous endpoints.

This incident is not isolated but appears to be part of a broader campaign targeting the Rust ecosystem. Security researchers linked the behavior of dnp3times to previously identified malicious packages, specifically time_calibrator and time_calibrators. The recurrence of specific tactics—targeting time-related functionality and impersonating time APIs—suggests a persistent threat actor refining their tooling.

The attack vector relies on social engineering via typosquatting. The name dnp3times is likely derived from dnp3 (a popular protocol library) combined with time, anticipating that developers might mistype a dependency name or search for time-handling extensions for the DNP3 protocol. This technique exploits the trust developers place in package registries and the often-automated nature of dependency resolution.

The successful execution of dnp3times results in a total compromise of the development environment's secrets. Because .env files are the standard mechanism for injecting secrets into applications during development, they often contain production or staging credentials that grant broad access to backend infrastructure.

If the malware runs within a Continuous Integration/Continuous Deployment (CI/CD) pipeline, the impact escalates significantly. Automated build runners frequently possess privileged access tokens to cloud environments (e.g., AWS, Azure, GCP) or deployment targets. Exfiltration in this context could allow the attacker to pivot from the build environment to live infrastructure, potentially leading to data breaches or persistence within the organization's network.

Detection of this compromise requires examining Cargo.lock files for the presence of the dnp3times dependency. Network logs should be audited for outbound traffic to endpoints that resemble timeapi.io but resolve to unexpected IP addresses or exhibit anomalous payload sizes inconsistent with simple time synchronization requests.

Remediation must go beyond simply removing the package. Because the malware's primary function is credential theft, any secret present in .env files on a machine where dnp3times was installed must be considered public. Developers must rotate all API keys, database passwords, and service tokens immediately. Additionally, affected systems should be wiped and rebuilt to ensure no persistence mechanisms (such as crontabs or modified binaries) remain.