Crates.io Users Targeted by Phishing Emails

A phishing campaign is currently targeting crates.io users, impersonating the Rust Foundation. According to the Rust Security Response WG & crates.io team in a Sept. 12, 2025 Rust blog post, emails sent from the rustfoundation.dev domain claim that crates.io infrastructure has been compromised and urge recipients to log in to protect their packages.

“We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates.
These emails are malicious and come from a domain name not controlled by the Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing your GitHub credentials. We have no evidence of a compromise of the crates.io infrastructure.
We are taking steps to get the domain name taken down and to monitor for suspicious activity on crates.io. Do not follow any links in these emails if you receive them, and mark them as phishing with your email provider.”

The Rust team is working to get the phishing domain taken down and advises users not to click any links or provide credentials.

Meanwhile, reports from the Rust community, including Carol Nichols and Andrew Gallant, show screenshots of the fake emails circulating. Nichols noted on Mastodon that "crates.io does not expose email address in its API. The attack seems to be getting emails from github/git."

Gallant posted on Bluesky that the phishing email he received made it past Gmail's spam filters.

How Socket Is Responding#

Socket announced Rust support in beta just yesterday, and our threat feed is actively monitoring crates.io for any signs of suspicious activity related to this campaign. Please note that at this time, there’s no evidence that crates.io itself has been breached. The attack is social engineering via email.

We’ll continue to track the situation and update if we detect any malicious crates or changes in the registry. For now, developers should stay alert, verify the source of any security-related emails, and report phishing attempts to the Rust team at security@rust-lang.org and help@crates.io.