Supply Chain Under Siege: Malicious Rust Crates and AI Bots Exploit CI/CD Pipelines

March 11, 2026 Faeem BLOGS 0

Recent discoveries highlight how attackers are weaponizing both open‑source ecosystems and AI automation to infiltrate developer environments and steal secrets. From rogue Rust crates to AI‑powered GitHub bots, the campaign underscores the fragility of CI/CD pipelines when trust is abused.

Malicious Rust Crates

Researchers identified five crates published to crates.io between late February and early March 2026:

  • chrono_anchor
  • dnp3times
  • time_calibrator
  • time_calibrators
  • time-sync

Key behaviors:

  • Masquerade as time utilities, impersonating timeapi.io.
  • Exfiltrate .env files containing API keys, tokens, and secrets to attacker infrastructure (timeapis[.]io).
  • chrono_anchor used obfuscation and invoked exfiltration logic via guard.rs to avoid detection.
  • Secrets were stolen every time CI workflows invoked the malicious code.

Impact:

  • Exposure of cloud credentials (AWS, GCP, Azure), GitHub tokens, registry keys, and database secrets.
  • Potential compromise of downstream users and environments.

AI Bot Exploiting GitHub Actions

An AI‑powered bot named hackerbot‑claw targeted CI/CD pipelines across major repositories (Microsoft, Datadog, Aqua Security).

Attack flow:

  1. Scan public repos for misconfigured GitHub Actions workflows.
  2. Fork repo, embed malicious payload in branch names or CI scripts.
  3. Submit trivial pull requests (e.g., typo fixes).
  4. Trigger CI pipelines automatically, executing malicious code.
  5. Steal secrets and tokens.

Case study – Aqua Security’s Trivy:

  • Exploited pull_request_target workflow to steal a Personal Access Token (PAT).
  • Published a malicious VS Code extension to Open VSX registry.
  • Injected logic to run local AI coding assistants (Claude, Codex, Gemini, Copilot CLI, Kiro CLI) in permissive modes.
  • Agents performed system inspection and exfiltrated results to attacker‑controlled GitHub repos.
  • Tracked as CVE‑2026‑28353.

Why It Matters

  • Low‑complexity, high‑impact: Simple supply chain malware can devastate CI/CD pipelines.
  • AI misuse: Attackers weaponize AI coding assistants to automate reconnaissance and exfiltration.
  • Trust exploitation: Developers rely on open‑source crates and automated workflows, making them prime targets.
  • Rapid iteration: Attackers refined techniques between versions 1.8.12 and 1.8.13 of Trivy’s extension, improving exfiltration reliability.

Defensive Recommendations

  • Audit dependencies: Scan for malicious crates and remove compromised packages.
  • Rotate secrets: Immediately reset API keys, tokens, and credentials if exposure is suspected.
  • CI/CD hardening:
    • Restrict pull_request_target workflows.
    • Limit outbound network access in build jobs.
    • Run builds with least privilege.
  • AI agent controls: Monitor and restrict local AI coding assistants from executing arbitrary inspection tasks.
  • Supply chain vigilance: Use dependency scanning tools to detect anomalies before execution.

Final Thought

This campaign demonstrates how attackers blend open‑source supply chain compromises with AI‑powered automation to infiltrate developer pipelines. For defenders, the lesson is clear: developer security is now cloud security, and CI/CD pipelines must be treated as critical attack surfaces.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.