GHSA-vgr2-r5hm-f6gf: `sha-rst` was removed from crates.io for malicious code

February 12, 2026

This crate was used as a dependency by finch_cli_rust and finch-rst and contained a malware payload to exfiltrate credentials.

The malicious crate had 1 version published on 2025-12-08 and had been downloaded 22 times. Other than the other crates above that were part of the attack, no other crates depedended on this crate.

Thanks to Matthias Zepper of NGI Sweden for reporting this to the crates.io team!

References

github.com/advisories/GHSA-vgr2-r5hm-f6gf
rustsec.org/advisories/RUSTSEC-2025-0151.html

Code Behaviors & Features

Detect and mitigate GHSA-vgr2-r5hm-f6gf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →