GHSA-XP79-9MXW-878J: The Finch That Stole Your Keys: Autopsy of the Malicious `finch-rst` Crate

The Finch That Stole Your Keys: Autopsy of the Malicious finch-rst Crate Vulnerability ID: GHSA-XP79-9MXW-878J CVSS Score: 10.0 Published: 2026-02-12 The Rust ecosystem prides itself on memory safety, effectively killing entire classes of bugs like buffer overflows and use-after-frees. However, the borrow checker cannot save you from yourself—or more specifically, from the code you voluntarily invite into your house. GHSA-XP79-9MXW-878J details a supply chain attack involving finch-rst , a malicious crate uploaded to crates.io. Masquerading as a legitimate bioinformatics tool, this package was designed not to process data, but to exfiltrate it. It leverages the inherent trust developers place in the Cargo build system to execute arbitrary code on developer machines and CI/CD pipelines immediately upon installation. TL;DR The finch-rst package on crates.io contains malicious code. It likely utilizes typosquatting to target users of the legitimate finch library. The moment you run cargo