Security researchers have uncovered a group of malicious packages written in the Rust programming language that were uploaded to the official Rust package registry crates.io. These packages were disguised as utilities designed to manage or synchronize system time but were actually created to steal sensitive developer data.
The five malicious crates identified are:
- chrono_anchor
- dnp3times
- time_calibrator
- time_calibrators
- time-sync
According to researchers from Socket, the packages impersonated a legitimate time service called timeapi.io and were uploaded between February and March 2026. Evidence suggests that the same threat actor created all five packages, as they used identical methods for data theft and relied on a similar domain, timeapis[.]io, to store stolen information.
Targeting .env Files to Capture Secrets
Although these Rust crates appeared to offer harmless functionality, their true purpose was to collect sensitive data from developer machines.
The malware specifically targeted .env files, which often store critical credentials such as:
- API keys
- authentication tokens
- database credentials
- cloud service secrets
Security researcher Kirill Boychenko explained that the packages secretly extracted these files and transmitted the information to attacker controlled servers.
Four of the packages simply attempted to exfiltrate the contents of .env files. However, the chrono_anchor crate included additional techniques such as code obfuscation to make detection more difficult.
How the Malicious Code Operated
The chrono_anchor package concealed its malicious logic inside a Rust file named guard.rs. The code was triggered through an optional synchronization function, making it appear harmless to developers reviewing the package.
Unlike many traditional malware samples, these packages did not attempt to establish persistence on infected systems. Instead, the malicious code executed whenever a developer triggered it within a Continuous Integration workflow.
This means every CI build that called the package could potentially leak secrets stored in the developer environment.
Impact on CI/CD Pipelines
Compromising .env files can have serious consequences. Attackers who obtain these secrets may gain access to:
- cloud infrastructure
- internal databases
- deployment pipelines
- source code repositories
Although the malicious crates were eventually removed from crates.io, developers who installed them are advised to:
- rotate API keys and tokens
- audit CI/CD pipelines for suspicious activity
- restrict outbound network connections in build environments
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
