GHSA-xhw7-jhmp-j62j: `dnp3times` was removed from crates.io due to malicious code

March 5, 2026

The dnp3times crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. It was loosely trying to typosquat the dnp3time crate, but otherwise was the same attack as the recent time_calibrator and time_calibrators malware.

The malicious crate had 1 version published on 2026-03-04 approximately 6 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

References

github.com/advisories/GHSA-xhw7-jhmp-j62j
rustsec.org/advisories/RUSTSEC-2026-0032.html

Code Behaviors & Features

Detect and mitigate GHSA-xhw7-jhmp-j62j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →