Backdooring Rust crates for fun and profit

This page summarizes the projects mentioned and recommended in the original post on dev.to
Rust VSCode Security Remote Pentest

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • black-hat-rust

    Applied offensive security with Rust - https://kerkour.com/black-hat-rust

    • Want to learn more Rust, Offensive Security and Applied Cryptography? Take a look at my book Black Hat Rust Get 42% off until Friday, November 12 with the coupon 1311B892

  • openvscode-server

    Run upstream VS Code on a remote machine with access through a modern web browser from any device, anywhere.

    • Thirdly, using cloud developer environments such as GitHub Codespaces or Gitpod. By working in sandboxed environments for each project, one can significantly reduce the impact of a compromise.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • docs.rs

    crates.io documentation generator

    • While it's possible to audit the code of a crate on https://docs.rs on clicking on a [src] button, it turns that I couldn't find a way to inspect build.rs files. Thus, combined with a malicious update, it's the almost perfect backdoor.

  • crates.io

    The Rust package registry

    • In Rust, packages are called crates and are (most of the time) hosted on a central repository: https://crates.io for better discoverability.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts