Cybersecurity researchers have discovered five malicious Rust crates that send .env file data to threat actors under the guise of time-related utilities.
The Rust packages published on crates.io are:
chrono_anchor dnp3times time_calibrator time_calibrators time-sync
These crates impersonated timeapi.io on a per-socket basis and were published between late February and early March 2026. It has been attributed to a single threat actor based on the same exfiltration technique and use of a similar domain (‘timeapis’).[.]io”) to hide the stolen data.
“These boxes pose as local time utilities, but their core activity is the theft of credentials and secrets,” said security researcher Kirill Boychenko. “They collect sensitive data from development environments, especially .env files, and attempt to exfiltrate it to infrastructure controlled by threat actors.”
While the four packages mentioned above have very simple functionality to extract .env files, ‘chrono_anchor’ goes a step further by implementing obfuscation and operational changes to evade detection. This crate was promoted as a way to adjust local time without relying on Network Time Protocol (NTP).
To avoid developer suspicion, “Chrono_anchor” embeds extraction logic within a file named “guard.rs” that is called from an “optional synchronization” helper function. Unlike other malware, the code observed in this case is not intended to establish persistence on the host through a service or scheduled task.
Instead, the crate repeatedly attempts to extract the .env secret each time a continuous integration (CI) workflow developer calls malicious code.
It’s no coincidence that .env files are targeted because they are typically used to hold API keys, tokens, and other secrets, allowing attackers to compromise downstream users and gain deeper access to the environment, including cloud services, databases, GitHub, and registry tokens.
The package has since been removed from crates.io, but we recommend that users who may have downloaded the package inadvertently prepare for possible compromise, rotate keys and tokens, audit CI/CD jobs run using publish or deployment credentials, and restrict outgoing network access where possible.
“This campaign shows that even low-complexity supply chain malware can have a significant impact when executed within a developer’s workspace or CI job,” Socket said. “Prioritize controls that stop malicious dependencies before they run.”
AI-powered bots abuse GitHub actions
The disclosure follows the discovery of an automated attack campaign that targeted CI/CD pipelines across major open source repositories, in which an artificial intelligence (AI)-powered bot called Hackerbot Claw scanned public repositories for exploitable GitHub Actions workflows and gleaned developer secrets.
From February 21 to February 28, 2026, a GitHub account claiming to be an autonomous security research agent targeted over seven repositories belonging to Microsoft, Datadog, Aqua Security, and others.
The attack unfolds as follows –
Scan for misconfigured CI/CD pipelines in public repositories Fork the target repository and prepare a malicious payload Open a pull request with a simple change, such as fixing a typo, while hiding the main payload in a branch name, filename, or CI script Take advantage of the fact that the workflow is automatically activated for each pull request to trigger the CI pipeline to execute malicious code on the build server Steal secrets and access tokens
The repository aquasecurity/trivy was the most notable target of this attack. This is Aqua Security’s popular security scanner that searches for known vulnerabilities, misconfigurations, and secrets.
“Hackerbot-claw exploited the pull_request_target workflow to steal personal access tokens (PATs),” supply chain security company StepSecurity said in a statement. “The stolen credentials were then used to take over the repository.”
Aqua Security’s Itay Shakury revealed in a statement last week that attackers leveraged GitHub Actions workflows to push malicious versions of Trivy’s Visual Studio Code (VS Code) extensions to the Open VSX registry and leveraged local AI coding agents to collect and steal sensitive information.
According to Socket, which also investigated the extension compromise, logic injected in versions 1.8.12 and 1.8.13 runs local AI coding assistants, including Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI, in a very permissive mode, performs extensive system checks, generates a report of the discovered information, and posts the results in a file named “posture-report-trivy.” Instruct it to save to a GitHub repository. The victim’s own authenticated GitHub CLI session.
Aqua has since removed the artifacts from its marketplace and revoked the tokens used to publish them. We recommend that users who have installed the extension immediately remove the extension, check for the presence of unexpected repositories, and rotate environment secrets. The malicious artifact has been removed. No other affected artifacts are known. This incident is tracked with CVE identifier CVE-2026-28353.
We would like to point out that the following prerequisites must be met for a system to be affected by this issue:
Version 1.8.12 or 1.8.13 was installed from Open VSX At least one of the targeted AI coding CLIs was installed locally The CLI accepted the provided permission execution flag The agent was able to access sensitive data on disk GitHub CLI was installed and authenticated (for version 1.8.13)
“The progression from 0.12 to 0.13 looks like an iteration,” Socket said. “The first prompt scatters the data across random channels, with no reliable way for the attacker to collect the output. The second prompt solves the problem by using the victim’s own GitHub account as a clean extraction channel, but its vague instructions could cause the agent to push secrets to a private repository that the attacker cannot see.”
Source link
