GHSA-g38r-8gmr-ghrf: `mysten-metrics` was removed from crates.io for malicious code

May 4, 2026

mysten-metrics included a build script that attempted to exfiltrate data from the build machine.

The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io.

References

github.com/MystenLabs/sui
github.com/advisories/GHSA-g38r-8gmr-ghrf
rustsec.org/advisories/RUSTSEC-2026-0107.html

Code Behaviors & Features

Detect and mitigate GHSA-g38r-8gmr-ghrf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →