Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets Researchers uncovered five malicious Rust crates on crates.io that masqueraded as time-related utilities and exfiltrated .env file data to threat actor-controlled infrastructure. The campaign (notably chrono_anchor) impersonated timeapi.io via timeapis[.]io, and a related AI-powered attack using hackerbot-claw exploited GitHub Actions to compromise Aqua Security’s Trivy extension (CVE-2026-28353), leading to removals and...

Five malicious Rust crates disguised as time utilities stole .env data by mimicking timeapi.io. An AI bot exploited GitHub Actions to hijack Aqua Security’s Trivy (CVE-2026-28353), prompting removals and audits. #RustSecurity #GitHubActions #USA