Skip to content

`time_calibrator` was removed from crates.io due to malicious code

Critical severity GitHub Reviewed Published Mar 4, 2026 to the GitHub Advisory Database

Package

cargo time_calibrator (Rust)

Affected versions

>= 0

Patched versions

None

Description

It was reported time_calibrator contained malicious code, that would try to upload .env files to a server.

The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates depending on this crate on crates.io.

Rust security response working group thanks Gabriel Silva for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io and infra-admin teams.

References

Published to the GitHub Advisory Database Mar 4, 2026
Reviewed Mar 4, 2026

Severity

Critical

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-77xj-rrh3-wx3v

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.