Rust Crate Security: The Rustacean's Guide

Rust is famous for memory safety. But even the safest language can't protect you from installing a malicious crate. Supply chain attacks don't care about your borrow checker.

The crates.io Typosquat Problem

In 2022, a security researcher discovered rustdecimal on crates.io. Sounds like a math library, right?

It wasn't. It was a typosquat of the legitimate rust_decimal crate. The malicious version contained code that would steal environment variables — including AWS keys, database passwords, and API tokens.

The difference? An underscore vs a hyphen. Easy to miss. Easy to exploit.

Why Rust Projects Are Targets

Rust is increasingly used for:

• Infrastructure — Cloud services, databases, networking
• Crypto — Wallets, smart contracts, blockchain nodes
• Security tools — Ironically, the tools meant to protect you

These are high-value targets. Compromise a dependency in a crypto wallet, and you can steal millions. Attackers know this.

The AI Hallucination Risk

Ask ChatGPT for Rust code, and it might suggest crates that don't exist. It sees patterns in training data and generates plausible-sounding names.

For example: async-http-client,json-validator,crypto-utils — these sound like real crates. Some aren't. And if someone registers them with malicious code, you've got a problem.

crates.io's Security Model

crates.io is the official Rust package registry. It's better than some alternatives:

• Crates can't be deleted (prevents name recycling attacks)
• Download counts are public (low count = red flag)
• RustSec Advisory Database tracks known vulnerabilities

But it doesn't do upfront malware scanning. That's on you.

How to Stay Safe

1. Use cargo-audit. It checks your Cargo.lock against the RustSec database. Run cargo audit in CI. No excuses.

2. Check download counts. A "popular" crate with 50 downloads is not popular. It's suspicious.

3. Verify the repo. Every crate links to its source. Click through. Check the GitHub stars, commit history, and maintainer activity.

4. Use cargo-crev. It's a code review system for Rust crates. You can see reviews from other developers before trusting a dependency.

5. Don't trust AI suggestions blindly. Verify every crate exists on crates.io before adding it to your Cargo.toml.

The Bottom Line

Rust gives you memory safety. It doesn't give you supply chain safety. That's a different problem, and it requires different tools.

Check your crates. Audit your dependencies. Don't let a typo compromise your project.