GHSA-MH23-RW7F-V5PQ: GHSA-MH23-RW7F-V5PQ: Malicious 'time-sync' Crate Exfiltrating Environment Secrets

GHSA-MH23-RW7F-V5PQ: Malicious 'time-sync' Crate Exfiltrating Environment Secrets Vulnerability ID: GHSA-MH23-RW7F-V5PQ CVSS Score: 9.8 Published: 2026-03-05 A critical security advisory has been issued for the Rust crate time-sync , which was identified as a malicious package intended to conduct a supply chain attack. Published to crates.io , the package purported to be a time synchronization utility but contained concealed logic to locate, read, and exfiltrate sensitive .env configuration files from the host system to a remote server controlling the timeapi.io domain or a spoofed variant thereof. The crate was removed from the registry approximately 50 minutes after publication. TL;DR The time-sync Rust crate contains malware that steals .env files and sends them to a remote server. It was active on crates.io for 50 minutes on March 4, 2026. Any project that installed this crate must consider all environment secrets compromised and rotate them immediately. ⚠️ Exploit Status: ACTIVE T