The malicious “rustdecimal” crate

Post Syndicated from original https://lwn.net/Articles/894808/

The Rust Blog warns
developers
of a malicious crate named rustdecimal, which was
evidently targeted at GitLab users who mistype rust_decimal.

The crate contained identical source code and functionality as the
legit rust_decimal crate, except for the Decimal::new function.

When the function was called, it checked whether the GITLAB_CI
environment variable was set, and if so it downloaded a binary
payload into /tmp/git-updater.bin and executed it. The binary
payload supported both Linux and macOS, but not Windows.