Backdooring Rust crates for fun and profit

• black-hat-rust

  48 3,047 4.3 Rust

  Applied offensive security with Rust - https://kerkour.com/black-hat-rust

  

It's actually possible to inspect build.rs files on docs.rs by using the source view: https://docs.rs/crate/[CRATE]/[VERSION]/source/. Thanks Joshua 🙏

• startup

  1 17 10.0 Rust

  Discontinued Life before `main()` (by thomcc)

Here is an example extracted from the startup crate:

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• openvscode-server

  125 4,733 0.0 TypeScript

  Run upstream VS Code on a remote machine with access through a modern web browser from any device, anywhere.

  

Thirdly, using cloud developer environments such as GitHub Codespaces or Gitpod. By working in sandboxed environments for each project, one can significantly reduce the impact of a compromise.

• docs.rs

  139 947 9.5 Rust

  crates.io documentation generator

  

While it's possible to audit the code of a crate on https://docs.rs on clicking on a [src] button, it turns that I couldn't find a way to inspect build.rs files. Thus, combined with a malicious update, it's the almost perfect backdoor.

• crates.io

  662 2,802 10.0 Rust

  The Rust package registry

  

In Rust, packages are called crates and are (most of the time) hosted on a central repository: https://crates.io for better discoverability.

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Suggest a related project