mirror of
https://github.com/rustsec/advisory-db.git
synced 2026-07-16 00:12:29 -04:00
Add malware advisory for onering 1.4.1 (#2953)
This commit is contained in:
22
crates/onering/RUSTSEC-0000-0000.md
Normal file
22
crates/onering/RUSTSEC-0000-0000.md
Normal file
@@ -0,0 +1,22 @@
|
||||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-0000-0000"
|
||||
package = "onering"
|
||||
date = "2026-06-10"
|
||||
categories = ["malicious"]
|
||||
|
||||
[versions]
|
||||
unaffected = ["< 1.4.1", "> 1.4.1"]
|
||||
patched = []
|
||||
```
|
||||
|
||||
# `onering` 1.4.1 was removed from crates.io for malicious code
|
||||
|
||||
A new version of the `onering` crate was published with code that attempted to
|
||||
exfiltrate both metadata and code from the project it was included within.
|
||||
|
||||
One malicious version was published on 2026-06-10, approximately six hours
|
||||
before removal. This crate has no dependencies on crates.io, and there is no
|
||||
evidence of actual usage of the compromised version.
|
||||
|
||||
Thanks to Charlie Eriksen for the report.
|
||||
Reference in New Issue
Block a user