crates-io
Safeguard articles tagged "crates-io" — guides, analysis, and best practices for software supply chain and application security.
16 articles
Rust Supply Chain Security: build.rs, Typosquatting, and Auditing crates.io
Rust's borrow checker guarantees memory safety in your code — and nothing about the crates you pull in. A cargo build runs arbitrary code at compile time, before any safe code executes.
TrapDoor: The Cross-Ecosystem Crypto Stealer That Targeted DeFi Developers (May 2026)
Socket disclosed TrapDoor on May 24, 2026: 34+ malicious packages and 384+ versions across npm, PyPI, and Crates.io built to steal crypto wallets, SSH keys, and cloud credentials from crypto, DeFi, Solana, and AI developers.
crates.io's Security Team in 2026: Response Workflow, Notification Policy Change, and the Alpha-Omega Investment
After the September 2025 phishing wave and the December evm-units removal, the crates.io team announced a notification policy update in February 2026 and the Rust Foundation deployed crate-scanning infrastructure funded by Alpha-Omega.
Cargo supply chain attacks: typosquatting and malicious c...
Crates.io typosquatting tricks Rust developers into pulling malicious crates instead of trusted ones. Here's how these attacks work — and how to spot them before you build.
Rust crates.io Supply Chain Controls in 2026
crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.
Malicious Rust crates found on crates.io
Malicious crates keep surfacing on crates.io, from the rustdecimal typosquat to build-script payload attacks. Here's how the pattern works and how to defend against it.
Rust supply chain security landscape
Rust's crates.io has topped 170,000 packages and real attacks are following. Here's what's changed and how security teams should respond.
Typosquatting on crates.io report
Safeguard's research team scanned all of crates.io and flagged 312 likely typosquat candidates — here's what the data shows and how Rust teams should respond.
faster_log and async_println: Rust's First Public Wallet-Stealing Crates
On September 24, 2025, crates.io removed faster_log and async_println — Rust typosquats that had quietly stolen Ethereum and Solana keys from 8,424 downloads since May.
Comparing Malicious Package Tactics Across npm, PyPI, Rub...
npm, PyPI, RubyGems, and crates.io each get hit by malicious packages differently. Real incidents from 2018-2025 show how attacker tactics shift by ecosystem.
Rust Crate Security: cargo audit, cargo vet and Beyond
cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.
rust crates.io Security Model Reviewed
A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.