Skip to content

`time_calibrators` was removed from crates.io due to malicious code

Critical severity GitHub Reviewed Published Mar 4, 2026 to the GitHub Advisory Database • Updated Mar 4, 2026

Package

cargo time_calibrators (Rust)

Affected versions

>= 0

Patched versions

None

Description

The time_calibrators crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service.

The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Rust security response working group thanks cybergeek for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io team.

References

Published to the GitHub Advisory Database Mar 4, 2026
Reviewed Mar 4, 2026
Last updated Mar 4, 2026

Severity

Critical

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-wf45-3gpw-vrqv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.