Open Source Beat

Supply Chain Heist: 'TrapDoor' Steals Dev Credentials

Bad actors are actively targeting developer environments. The 'TrapDoor' campaign's reach across npm, PyPI, and Crates.io is a stark warning.

4 min read 4 days, 17 hours ago

Illustration of a Cargo crate exploding with filesystem permission changes in Rust toolchain

Security & Privacy

Cargo's Hidden Tar Bomb: Malicious Crates That Could Own Your Filesystem

Imagine trusting Cargo to unpack a crate, only for it to stealthily escalate permissions across your drive. That's the nightmare CVE-2026-33056 unleashes on Rust builders.

5 min read 2 months ago

#cratesio

Supply Chain Heist: 'TrapDoor' Steals Dev Credentials

Cargo's Hidden Tar Bomb: Malicious Crates That Could Own Your Filesystem