GHSA-mh23-rw7f-v5pq: `time-sync` was removed from crates.io due to malicious code

March 5, 2026

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we’ve seen three times in the last few days.

The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

References

github.com/advisories/GHSA-mh23-rw7f-v5pq
rustsec.org/advisories/RUSTSEC-2026-0036.html

Code Behaviors & Features

Detect and mitigate GHSA-mh23-rw7f-v5pq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →