{"id":"RUSTSEC-2026-0039","summary":"`chrono_anchor` was removed from crates.io due to malicious code","details":"The `chrono_anchor` crate attempted to exfiltrate `.env` files to a server that\nwas in turn impersonating the legitimate `timeapi.io` service.\n\nThe malicious crate had 1 version published on 2026-03-04 approximately 6 days\nbefore removal and had no evidence of actual downloads. There were no crates\ndepending on this crate on crates.io.\n\nThanks to [Socket][socket] for reporting this crate. They have published\n[a blog post][blog] about this recent campaign, and we advise users of\n`timeapi.io` to exercise caution when using crates to interact with that\nservice.\n\n[socket]: https://socket.dev\n[blog]: https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files","modified":"2026-03-17T22:45:08.508080Z","published":"2026-03-10T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/chrono_anchor"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0039.html"}],"affected":[{"package":{"name":"chrono_anchor","ecosystem":"crates.io","purl":"pkg:cargo/chrono_anchor"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"os":[],"arch":[],"functions":[]},"affected_functions":null},"database_specific":{"categories":["malicious"],"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0039.json"}}],"schema_version":"1.7.5"}