CrateDepression is a software supply chain attack designed to target GitLab CI Pipelines by impersonating legitimate Rust packages and their developers. Since a GitHub user notified them in early May, the Rust Security Response Working Group (WG) and the crates.io team have put out a security bulletin regarding this incident, and the recent paper by the research team of Sentinel One sheds more light on the complete attack, including its sophistication and potential damage.
What Is CrateDepression?
Similar to the chainjacking attack, this attack involves typosquatting to target developers using rust_decimal to consume the poisoned dependency rustdecimal. This crate contained identical source code and functionality as the legit rust_decimal crate, except for the Decimal::new function.
The malicious developer responsible for CrateDepression undoubtedly created this crate to be intentionally similar to the legitimate one.
The intended functionality of the malicious package would be the following: if it runs inside an active GitLab CI process, it downloads a second-stage payload from its command and control server, which gives complete control of the build process to the attacker.
Rust Security Response WG released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository. To protect the ecosystem’s security, the crates.io team removed the offending crate from the registry as soon as they were made aware of the malware.
The rust_decimal crate was not affected by this CrateDepression attack, so any developers using this crate should have no issue.
How to Protect Your Organization from CrateDepression (and Other Typosquatting Attacks)
Ensure your organization uses the correct version of this library throughout all its development teams. Typosquatting attacks are easy to make, especially for hardworking developers who value speed. Deep knowledge of current typosquatting and dependency squatting threats is low, so until that changes, security teams will need to find ways to build in checks ensuring that each dependency is the intended asset. Cycode can help satisfy these checks.
With Cycode’s knowledge graph, you can quickly identify instances where this threat exists in your organization:
Powered by its knowledge graph, Cycode’s advanced detection capabilities correlate event data and user activity across the SDLC to create contextual insights and automate remediation. Cycode delivers security, governance, and pipeline integrity without disrupting developers’ velocity.