Malicious packages

Malware feed

Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).

Recent advisories

12 total in cargo · sorted newest first

MAL-2026-3129Malwarecargosupertag
Apr 28, 2026
Malicious code in supertag (crates.io)
1 compromised version
MAL-2026-3126Malwarecargolsh
Apr 28, 2026
Malicious code in lsh (crates.io)
2 compromised versions
MAL-2026-3103Malwarecargoamzn-codewhisperer-streaming-client
Apr 27, 2026
Malicious code in amzn_codewhisperer_streaming_client (crates.io)
1 compromised version
MAL-2026-3101Malwarecargoamzn-consolas-client
Apr 27, 2026
Malicious code in amzn_consolas_client (crates.io)
1 compromised version
MAL-2026-3102Malwarecargosemantic-search-client
Apr 27, 2026
Malicious code in semantic_search_client (crates.io)
1 compromised version
MAL-2026-2958Malwarecargomysten-metrics
Apr 20, 2026
Malicious code in mysten_metrics (crates.io)
1 compromised version
RUSTSEC-2025-0154Malwarecargoreplit_ruspty
Nov 4, 2025
`replit_ruspty` was removed from crates.io for malicious code
MAL-2025-49350Malwarecargoreplit_ruspty
Nov 4, 2025
Malicious code in replit_ruspty (crates.io)
1 compromised version
MAL-2023-8429Malwarecargolittest
Nov 3, 2023
Malicious code in littest (crates.io)
1 compromised version
MAL-2022-1Malwarecargorustdecimal
Aug 11, 2022
Malicious code in rustdecimal (crates.io)
GHSA-7pwq-f4pq-78gmMalwarecargorustdecimal
Aug 11, 2022
`rustdecimal` is a malicious crate
RUSTSEC-2022-0042Malwarecargorustdecimal
May 10, 2022
malicious crate `rustdecimal`