CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-99j7-fhr2-xfj4: `exploration` was removed from crates.io for malicious code

critical
A method within the exploration crate attempted to download and execute a payload from a remote site. The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io. Rustsec to Kirill Boychenko from the Socket Threat Research Team for reporting this crate.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-99j7-fhr2-xfj4

More from GitHub Security Advisories