https://blog.rust-lang.org/2025/09/12/crates-io-phishing-cam...
The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.
To make up for that, they cast a wide net. It's a numbers game, like the guys that ask every single woman they meet for their phone number. It costs nothing or next to it, and all you need is one for a payoff.
Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.
I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?
I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.
So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.
It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).
You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.
You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.
Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.
When they target me, which happens, it doesn't work because of WebAuthn.
Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources.
Something similar to this was in the recent npmjs thing.
What would it even mean to "log in" if they reject my authenticator ? Logging in is what it's for.
It really shouldn't though, and something you need to be personally responsible for. If it's still possible in 2025 for you to fall for phishing attempts, you're missing something, something that starts with a p and ends with a assword manager.
You must be joking, are you still not using a password manager at all?
When you create the username+password combo you either do it yourself, then put in the password manager the domain, or you use whatever the password manager infers at the registration page, then that's basically it, for most sites. Then 1% of the websites insist to use signin.example.com for login and signup.example.com for signup, so you add both domains to your password manager, or example.com.
Now whenever you login, you either see a list of accounts (means you're on the right domain) or you don't (which means the domain isn't correct). And before people whine about "autofill doesn't always work", it doesn't matter, the list should (also) show up from the extension modal/popup, so even if autofill doesn't work for that website, you'd be protected, since the list of accounts are empty for wrong domains.
It's really easy, and migrating to a password manager just sucks the first couple of days, every day after that you'd be happy you finally did it.
I seem to recall that the typos and grammar errors were intentional. This gets rid of skeptical people, and you're left with those who are extremely gullible and likely to fall for it.
For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.
https://www.anthropic.com/news/detecting-countering-misuse-a...
That e-mail does not pass my sniff test.
I do think it was a decent attempt. A phishing attempt making it past gmail's spam filter is somewhat rare for me. Certainly less than weekly. And something this targeted is definitely a ~yearly occurrence (or less).
The major tip-offs for me were:
1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders.
2. If a security incident like this would have occurred, there would have 100% been some kind of public communication about it on the rust-lang.org domain. I get notified whenever there's a new post there. So I knew this wasn't referencing a real event.
3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense.
And then finally, the URL is funny.
The somewhat scary part here though is that all of my points above come from being pretty dialed into the Rust organization and how things actually work.
But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something).
Finally, when I worked at Salesforce, the IT team there would occasionally send out fake phishing emails and ask you to report them to the team. I never fell for one, but I assume if I had, I would have been notified about it. I thought it was a very effective campaign because it always kept me on my toes.
The worst part is that when I call the bank to see if its legit, they are much less pleasant to deal with than the scammers...
+1
This is so true. I just never realized that is why I'm always tempted to not bother doing the right thing.
And don't trust the number you see on Google. Google is known to show scammers' phone numbers in featured snippets or in their new "AI Mode". Click on the link and make sure it's the correct site before trusting the number.
I was speaking to a pharmacist yesterday. Apparently certain pharmacy insurance companies in the US have set up call centers that randomly call people and ask.
"We are from the fraud check department. Did you ask for receiving XYZ medication that your insurance paid $$$$$$ for?". The guy who does who's salary is an order of magnitude smaller, immediately panics and denies he ever asked for XYZ, even though they are obviously taking the medication. The purpose is of-course for pharmacy insurance companies to challenge/deny claims for on ALL XYZ orders the pharmacy made.
Of course checking insurance payouts is a hassle so most people reach for panic first and shortly thereafter denial.
— You just need to do accept <whatever, I forget> and you’ll pay less.
— But I don’t want to switch providers, I’m happy with the current one.
— Oh no, you’ll stay with the same provider, we’re with them, that doesn’t change.
— Alright, then I’ll call the company to discuss this further and get the discount.
— Unfortunately, this is only valid this way. Not by calling or online.
— Then I’m not interested. Good bye.
One of my neighbours was tricked at a different time by a similar scam, forcing them into a contract with a different company.
https://docs.github.com/en/authentication/authenticating-wit...
What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack.
The attack:
1. Register a paypal business account
2. Add the victim's email address (or one that forwards to them) to the biz account's "secondary users"
3. Add a custom invitation message about how they have a $900 charge that they need to contest by calling a phone number that you control.
4. Paypal shows your custom invitation message inline with their official email with no indication that it was written by someone other than paypal (wtf?)
Here's the email that was of course surrounded by Paypal's own official email chrome:
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
I called the number and some guy started asking me for my info starting with my full name. I didn't hang around on the call long enough to see what the attack was.
What happens next, when they become the business account secondary user?
They will attempt to get you to install AnyDesk or some kind of remote software and then pwn your computer. They will remote in "to fix the hack" because your computer is obviously infected with a virus. Then either just steal your money from your bank account or etc.
There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!
Chad Rust Devs
vs.
Virgin NPM Devs Falling For Phishing
Amusing. You have to ignore SSL to get the image since the site has HSTS enabled.
A coincidence is that today I got a "two factor code from Coinbase. If you did not request this, call this number". Ho ho ho. Yes, I will call your number, Coinbase.
Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge).
As chad as Rust devs supposedly are, something tells me at least a few of them are going to fall for this attack.
I dunno, same was said about the npm email, but I think this one is even worse.
First off, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. What information would even be compromised here, the GitHub profile's email?
Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people, but fair enough, most people don't have knowledge the Rust organizations I'm guessing.
Thirdly, if there truly was an security issue with crates, I'd expect that to be plastered all over the internet, not the very least official Rust website and crates.io, immediately. They wouldn't wait and reach out to authors first, then publicly announce it. Would be my guess at least.
In the end, a tired and/or stressed person could miss all of those things, which happens sometimes with phishing. We're all human after all, shit goes through the cracks sometimes, even to the best of us.
That's why it's really important that people stop trying to fight phishing by manually preventing it by processes, or going to the website instead of clicking links and so on. Just get a password manager that can connects domains with credentials, then when the list of accounts don't show up when you expect it to, pay close attention to what's going on. Otherwise you can just move forward without much thinking.
dmarto•2h ago
autoexec•53m ago
dmarto•7m ago
> crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)
So far: rickroll → Strong Dog vs Weak Dog meme → future plans → advertisement.