GHSA-xp79-9mxw-878j

Source

https://github.com/advisories/GHSA-xp79-9mxw-878j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-xp79-9mxw-878j/GHSA-xp79-9mxw-878j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xp79-9mxw-878j

Aliases

RUSTSEC-2025-0150

Published

2026-02-12T22:10:23Z

Modified

2026-02-13T04:56:33.676390Z

Summary

`finch-rst` was removed from crates.io for malicious code

Details

This attempts to typosquat the existing crate <code>finch</code> to steal credentials from local files.

The malicious crate had 1 version published on 2025-12-08 and had been downloaded 21 times. There were no crates depending on this crate on crates.io.

Thanks to Matthias Zepper of NGI Sweden for reporting this to the crates.io team!

Database specific

{
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-506"
    ],
    "github_reviewed_at": "2026-02-12T22:10:23Z",
    "severity": "CRITICAL"
}

References

https://rustsec.org/advisories/RUSTSEC-2025-0150.html

Affected packages

crates.io / finch-rst

Package

Name: finch-rst; View open source insights on deps.dev
Purl: pkg:cargo/finch-rst

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-xp79-9mxw-878j/GHSA-xp79-9mxw-878j.json"