• The crates.io team will no longer publish a blog post each time a malicious crate is detected or reported. • In the vast majority of cases to date, these notifications have involved crates that have no evidence of real world usage, and we feel that publishing these blog posts is generating noise, rather than signal. • We will always publish a RustSec advisory when a crate is removed for containing malware. • You can subscribe to the RustSec advisory RSS feed to receive updates. • Crates that contain malware and are seeing real usage or exploitation will still get both a blog post and a RustSec advisory. • We may also notify via additional communication channels (such as social media) if we feel it is warranted.
Article Summaries:
- The crates.io team will no longer publish a blog post each time a malicious crate is detected or reported. In the vast majority of cases to date, these notifications have involved crates that have no evidence of real world usage, and we feel that publishing these blog posts is generating noise, rather than signal. We will always publish a RustSec advisory when a crate is removed for containing malware. You can subscribe to the RustSec advisory RSS feed to receive updates. Crates that contain malware and are seeing real usage or exploitation will still get both a blog post and a RustSec advisor
- Crates.io has revised its malicious‑crate notification policy. The registry will stop publishing a blog post for every detected or reported malware crate, citing that most incidents involve unused packages and generate “noise.” Instead, a RustSec advisory will always be issued when a crate is removed for malware. Crates that are actively used or exploited will still receive a blog post, a RustSec advisory, and possibly other channels such as social media. The update follows recent removals of several credential‑exfiltration crates (e.g., finch_cli_rust, polymarket‑clients‑sdk) and includes a retrospective list of deletions, user account suspensions, and provider notifications.
Sources: