Full Report
Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors. The Rust packages, published to crates.io, are listed below - chrono_anchor dnp3times time_calibrator time_calibrators time-sync The crates, per Socket, impersonate timeapi.io and were published between late February and early March
Analysis Summary
# Tool/Technique: Malicious Rust Crates (Time-Utility Typosquatting)
## Overview
A selection of five malicious Rust packages (crates) published to crates.io designed to masquerade as legitimate time-related utilities. Their primary purpose is to harvest and exfiltrate developer secrets, specifically targeting `.env` files within developer environments and CI/CD pipelines.
## Technical Details
- **Type:** Malware (Supply Chain / Credential Stealer)
- **Platform:** Any environment running Rust/Cargo (Windows, macOS, Linux, CI/CD runners)
- **Capabilities:** Secret harvesting, environment variable exfiltration, anti-analysis (obfuscation), impersonation.
- **First Seen:** Late February 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0006 - Credential Access**
- T1552.001 - Unsecured Credentials: Private Keys (targeting .env files)
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Information Theft:** Specifically targets `.env` files which commonly contain API keys, database credentials, cloud service tokens, and GitHub/Registry secrets.
- **Impersonation:** Masquerades as legitimate utilities (impersonating `timeapi.io`) or uses names similar to popular crates to trick developers.
- **Automated Exfiltration:** Once invoked, the code automatically packages discovered secrets and transmits them to a centralized domain controlled by the threat actor.
### Advanced Features
- **Conditional Execution (chrono_anchor):** This specific variant uses a file called `guard.rs` and an "optional sync" helper function to hide malicious logic, making it more difficult for manual reviewers to spot.
- **CI/CD Persistence-via-Execution:** Rather than establishing traditional system persistence (like registry keys), the malware relies on being executed repeatedly every time a CI workflow or developer builds the project.
- **Obfuscation:** Some variants implement operational changes to avoid signature-based detection.
## Indicators of Compromise
- **File Names:**
- `chrono_anchor`
- `dnp3times`
- `time_calibrator`
- `time_calibrators`
- `time-sync`
- `guard.rs` (internal helper within `chrono_anchor`)
- **Network Indicators:**
- `timeapis[.]io` (Exfiltration domain)
## Associated Threat Actors
- **Unknown (Single Operator):** Assessed to be a single threat actor based on the shared exfiltration infrastructure and consistent methodology across all five crates.
## Detection Methods
- **Signature-based detection:** Scanning local Cargo caches or CI/CD build environments for the specific malicious crate names listed above.
- **Behavioral detection:** Monitoring for unexpected outbound network connections during the build/compile phase of a project, particularly to non-standard domains or known lookalikes like `timeapis[.]io`.
- **Log Analysis:** Auditing CI/CD runner logs for access to `.env` files by unexpected processes during dependency resolution.
## Mitigation Strategies
- **Dependency Pinning:** Explicitly use known-good versions of crates and audit new dependencies.
- **Network Egress Filtering:** Restrict build servers and CI/CD runners from accessing the public internet except for authorized registries and known-good endpoints.
- **Credential Rotation:** If these crates were present, rotate all API keys, tokens, and secrets found in the environment immediately.
- **Pre-execution Scanning:** Use software composition analysis (SCA) tools that flag suspicious or newly published crates with low download counts.
## Related Tools/Techniques
- **Typosquatting:** A common supply chain attack technique used in npm, PyPI, and Crates.io.
- **hackerbot-claw:** An AI-powered bot mentioned in the same report that targets GitHub Actions workflows to achieve similar goals (secret theft).