GHSA-77xj-rrh3-wx3v: `time_calibrator` was removed from crates.io due to malicious code

March 4, 2026

It was reported time_calibrator contained malicious code, that would try to upload .env files to a server.

The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates depending on this crate on crates.io.

Rust security response working group thanks Gabriel Silva for finding and reporting this, and thanks to Emily Albini for co-ordinating with the crates.io and infra-admin teams.

References

github.com/advisories/GHSA-77xj-rrh3-wx3v
rustsec.org/advisories/RUSTSEC-2026-0030.html

Code Behaviors & Features

Detect and mitigate GHSA-77xj-rrh3-wx3v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →