{"id":"GHSA-3mmg-7c2q-8938","summary":"`sha-rust` was removed from crates.io for malicious code","details":"It appeared to be attempting to steal credentials from local files.","aliases":["RUSTSEC-2025-0146"],"modified":"2026-02-23T07:26:19.652388Z","published":"2026-02-06T20:58:58Z","database_specific":{"nvd_published_at":null,"github_reviewed_at":"2026-02-06T20:58:58Z","cwe_ids":[],"github_reviewed":true,"severity":"CRITICAL"},"references":[{"type":"WEB","url":"https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2025-0146.html"}],"affected":[{"package":{"name":"sha-rust","ecosystem":"crates.io","purl":"pkg:cargo/sha-rust"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3mmg-7c2q-8938/GHSA-3mmg-7c2q-8938.json"}}],"schema_version":"1.7.3"}