A phishing campaign targeted crates.io maintainers this week, prompting a security alert from the Rust Security Response WG. While the attack attempted to harvest credentials, the team confirmed that the package registry's infrastructure remains secure.
The incident serves as a sharp reminder that package ecosystems are a prime target for supply chain attacks. The team's swift and transparent handling of the situation demonstrates a mature response model for protecting the community.
In todayβs Rust recap:
> Phishing attack targets crates.io maintainers
> Google Cloud launches its official Rust SDK
> A zero-copy SQL parser delivers 3.3x speedup
> Rust rewrites core internet utilities like sudo and zlib
Security Alert: Phishing Attack on Crates.io Users
The Recap: The Rust Security Response WG issued an official warning about a phishing campaign targeting crates.io maintainers. The attack used a malicious rustfoundation.dev domain to try and steal GitHub credentials, but the team confirmed there is no evidence of a compromise of crates.io infrastructure.
Unpacked:
The attack involved emails falsely claiming a data breach, directing users to a fake GitHub sign-in page to harvest credentials, as detailed in the initial GitHub discussion.
The
crates.ioteam's swift and transparent response included sending takedown requests for the domain, contacting GitHub's security team, and actively monitoring API token creation for suspicious activity.It is critical to note that the claims of a breach were part of the phishing lure itself; the security team found no evidence of a compromise to the package registry's infrastructure.
Bottom line: This incident serves as a sharp reminder that package registry ecosystems are key targets for supply chain attacks. The rapid and open communication from the security team demonstrates a mature response model that helps protect the entire ecosystem.
Google Cloud Goes Rusty
The Recap: Google Cloud has officially launched its Rust SDK, providing first-class, idiomatic support for developers building secure and high-performance applications on its platform.
Unpacked:
The SDK offers access to over 140 Google Cloud APIs, including key services like Vertex AI, Cloud Storage, and Identity and Access Management.
It streamlines development with built-in support for multiple authentication methods, such as Application Default Credentials and OAuth2.
The project is fully open-source with its source code on GitHub, where Google encourages feedback and contributions from the community.
Bottom line: Google's official backing provides a stable foundation for building enterprise-grade Rust applications on its cloud. This move signals growing confidence in Rust for critical infrastructure and should accelerate its adoption in large-scale systems.
Rewriting a Bottleneck in Rust
The Recap: Database company Databend fixed a major performance bottleneck where parsing took up 66% of a query's runtime. They rewrote their SQL parser from scratch in Rust, guided by the language's core principles to achieve a 3.3x speedup.
Unpacked:
To eliminate memory overhead, the team built a zero-copy AST using borrowed string slices (
&'a str), a design detailed in their demo repository.Instead of generic messages, the new parser uses furthest-error-tracking to pinpoint the exact location of a syntax error and suggest fixes for common typos.
They simplified the architecture by strictly separating syntax from semantics, which allowed them to remove over 2,000 lines of complex code related to validation.
Bottom line: Databend's story demonstrates how Rust's constraints can be a feature, not a bug, actively guiding developers to superior architectural solutions. This approach results in code that is not only safer but also significantly more performant and maintainable.
Rust Fortifies Core Utilities
The Recap: The Trifecta Tech Foundation is spearheading an initiative to rewrite fundamental internet utilities like sudo, ntpd, and zlib in Rust, aiming to eliminate memory safety vulnerabilities in critical infrastructure.
Unpacked:
Canonical will adopt sudo-rs as the default in Ubuntu 25.10, replacing one of the most common utilities with a memory-safe alternative.
The Rust-based zlib-rs library now outperforms its C counterpart, becoming the fastest API-compatible implementation for data decompression.
Keeping time synchronization secure, ntpd-rs recently added experimental support for NTP version 5, pushing modern security into another core protocol.
Bottom line: This effort directly hardens the internet's foundations by systematically removing vulnerabilities from software everyone depends on. The success of these projects demonstrates a clear path for using Rust to secure legacy infrastructure at a massive scale.
The Shortlist
GeekWire recapped RustConf 2025, covering the language's growing enterprise adoption at Microsoft and Amazon and the challenges of its steep learning curve.
Starpsx emerged as a new work-in-progress PlayStation emulator written entirely in Rust, aiming for a fast, dependency-free, and cross-platform experience.
Kivooeo detailed his prolific contributions to the Rust compiler while highlighting the financial unsustainability for contributors in regions blocked from sponsorship platforms.