Rust crate ecosystem targeted by fake interview scam distributing backdoored dependency
Tags OSS · Enterprise
A sophisticated supply chain attack targeting the Rust ecosystem was detailed by security researcher 'grack' on June 25. The attacker used a fabricated VC persona (fake Singapore-based 'Lua Ventures') to approach crates.io package maintainers, distributing a backdoored remote access trojan called 'PinpinRAT' through a malicious image payload. The payload evaded all VirusTotal AV engines at time of discovery. Other Rust community members reported being similarly targeted.
Technical significance
This attack demonstrates a novel social engineering vector against open-source maintainers: fake VC advisory engagements as a delivery mechanism for malware. The complete AV evasion underscores the limitations of signature-based detection for targeted attacks. The incident highlights the supply chain risk for any organization depending on Rust crates and the need for maintainers to verify the legitimacy of commercial engagement offers.