Add malware advisory for onering 1.4.1 (#2953)

This commit is contained in:
Adam Harvey
2026-06-10 12:00:31 -07:00
committed by GitHub
parent 02c8054e58
commit 555af38143

View File

@@ -0,0 +1,22 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "onering"
date = "2026-06-10"
categories = ["malicious"]
[versions]
unaffected = ["< 1.4.1", "> 1.4.1"]
patched = []
```
# `onering` 1.4.1 was removed from crates.io for malicious code
A new version of the `onering` crate was published with code that attempted to
exfiltrate both metadata and code from the project it was included within.
One malicious version was published on 2026-06-10, approximately six hours
before removal. This crate has no dependencies on crates.io, and there is no
evidence of actual usage of the compromised version.
Thanks to Charlie Eriksen for the report.