Cybersecurity researchers have uncovered five malicious Rust packages that steal .env files and an AI-powered bot that exploits GitHub Actions workflows to harvest secrets from major open-source repositories.
Cybersecurity researchers have uncovered a sophisticated supply chain attack involving five malicious Rust crates and an AI-powered bot that are actively targeting Continuous Integration/Continuous Deployment (CI/CD) pipelines to steal developer secrets.
Malicious Rust Crates Target Developer Environments
Five malicious Rust packages were discovered on crates.io, masquerading as legitimate time-related utilities while secretly exfiltrating sensitive data from developer environments. The packages include:
- chrono_anchor
- dnp3times
- time_calibrator
- time_calibrators
- time-sync
The crates were published between late February and early March 2026, impersonating timeapi.io and using the lookalike domain "timeapis[.]io" to stash stolen data. According to security researcher Kirill Boychenko, "Although the crates pose as local time utilities, their core behavior is credential and secret theft."
While four of the packages use straightforward .env file exfiltration, "chrono_anchor" employs advanced obfuscation techniques. The malicious code is hidden within a file named "guard.rs" and invoked through an "optional sync" helper function to avoid detection. Unlike typical malware, these crates don't establish persistence through services or scheduled tasks. Instead, they repeatedly attempt to exfiltrate .env secrets each time a developer calls the malicious code in their CI workflow.
AI-Powered Bot Targets GitHub Actions Workflows
In a separate but related campaign, an autonomous security research agent called "hackerbot-claw" has been actively exploiting GitHub Actions workflows across major open-source repositories. Between February 21 and February 28, 2026, the bot targeted at least seven repositories belonging to Microsoft, Datadog, and Aqua Security.
The attack follows a systematic pattern:
- Scan public repositories for misconfigured CI/CD pipelines
- Fork target repository and prepare malicious payload
- Open pull request with trivial changes while concealing payload
- Trigger CI pipeline through pull request activation
- Steal secrets and access tokens
High-Profile Supply Chain Compromise
The most significant impact occurred with Aqua Security's "aquasecurity/trivy" repository, a popular security scanner. The attacker exploited a pull_request_target workflow to steal a Personal Access Token (PAT), then used it to take over the repository.
Even more concerning, the attacker compromised Trivy's Visual Studio Code extension, injecting malicious logic into versions 1.8.12 and 1.8.13. The compromised extension executes local AI coding assistants—including Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI—in highly permissive modes. These agents perform extensive system inspection, generate reports of discovered information, and save results to a GitHub repository named "posture-report-trivy" using the victim's authenticated GitHub CLI session.
Prerequisites for Exploitation
For a system to be impacted by this vulnerability (tracked as CVE-2026-28353), several conditions must be met:
- Version 1.8.12 or 1.8.13 installed from Open VSX
- At least one targeted AI coding CLI installed locally
- CLI accepts permissive execution flags
- Agent can access sensitive data on disk
- GitHub CLI installed and authenticated (for version 1.8.13)
Security Recommendations
Users who may have been affected should:
- Immediately remove the compromised VS Code extensions
- Check for unexpected repositories created on their accounts
- Rotate environment secrets and API keys
- Audit CI/CD jobs that run with publish or deploy credentials
- Limit outbound network access where possible
"This campaign shows that low-complexity supply chain malware can still deliver high-impact when it runs inside developer workspaces and CI jobs," Socket warned. "Prioritize controls that stop malicious dependencies before they execute."
The incidents highlight the growing sophistication of supply chain attacks and the emerging threat of AI-augmented attackers exploiting CI/CD misconfigurations at speed. As AI coding agents become more prevalent in developer workflows, organizations must implement runtime controls and visibility measures to prevent weaponized agents from compromising their environments.
Comments
Please log in or register to join the discussion