Malicious Rust Crates and AI Bots Use CI/CD Pipelines to Steal Developer Secrets

Cybersecurity researchers have discovered five malicious Rust crates that create time-related utilities to transmit .env file data to malicious actors.

The Rust packages, published on crates.io, are listed below –

• chrono_anchor
• dnp3 times
• time_calibrator
• time_calibrator
• time synchronization

Crates, according to Socket, emulates timeapi.io and was published in late February and early March 2026. They were evaluated as the work of a single threat actor based on the use of the same filter method and the same domain (“timeapis[.]io”) to hide stolen data.

“Although crates serve as local time resources, their primary behavior is privacy theft,” said security researcher Kirill Boychenko. “They are trying to collect sensitive data from developers’ environments, especially .env files, and extract it to threaten player-controlled infrastructure.”

While the four packages mentioned above show the direct ability to extract .env files, “chrono_anchor” goes a step further by using compression and functionality changes to avoid detection. Crates were advertised as a way to measure local time without relying on the Network Time Protocol (NTP).

“Chrono_anchor” includes filtering logic inside a file called “guard.rs” that is invoked in the “sync selection” helper function to avoid raising developer suspicions. Unlike other malware, the code observed in this scenario does not intend to set up persistence on the host through a service or scheduled operation.

Instead, Crate tries to repeatedly extract the .env secrets every time a Continuous Integration (CI) developer calls the malicious code.

The targeting of .env files is not dangerous, as they are often used to hold API keys, tokens, and other secrets, allowing an attacker to compromise downstream users and gain deep access to their environments, including cloud services, databases, and GitHub with registration tokens.

Although the packages have been removed from crates.io, users who may have accidentally downloaded them are advised to consider possible releases, rotate keys and tokens, check CI/CD functions that enable publishing or issuing credentials, and limit network access where possible.

“This campaign shows that sophisticated malware can still deliver significant impact when operating within developer workstations and CI operations,” said Socket. “Prioritize controls that stop malicious dependencies before they happen.”

AI-Powered Bot Exploits GitHub Actions

The disclosure follows the discovery of an automated attack campaign that targeted CI/CD pipelines covering large open source repositories, with an artificial intelligence (AI)-powered bot called hackerbot—claw scanning public repositories for GitHub Actions workflows to harvest developer secrets.

Between February 21 and February 28, 2026, a GitHub account, which described itself as an independent research agent, targeted no less than seven repositories belonging to Microsoft, Datadog, and Aqua Security, among others.

The attack goes like this –

• Scan public repositories for poorly configured CI/CD pipelines
• The Fork target repository is also ready for a brutal payout
• Open a pull request with a small change like a typo correction, while hiding the big payload in a branch name, file name, or CI text.
• Run a CI pipeline by taking advantage of the fact that workflows are automatically activated on every pull request, causing malicious code to be executed on the build server.
• Steal secrets and access tokens

One of the top targets of the attack was the repository “aquasecurity/trivy,” a popular security scanner from Aqua Security that searches for known vulnerabilities, vulnerabilities, and secrets.

“Hackerbot-claw exploited the pull_request_target workflow to steal the Personal Access Token (PAT),” security firm StepSecurity said. “The stolen information was then used to take over the storage.”

In a statement released last week, Aqua Security’s Itay Shakury revealed that the attacker used the GitHub Actions workflow to push a malicious version of Trivy’s Visual Studio Code (VS Code) extension to the Open VSX registry to use local AI agents to collect and extract sensitive information.

Socket, which also investigated the extended compromise, said that the logic included in versions 1.8.12 and 1.8.13 uses local AI code assistants, including Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI, in very permissive ways, instructing them to do a lot of research found, to generate detailed information to test the found system. a repository called “posture-report-trivy” using an authenticated GitHub CLI session for the victim.

Aqua removed the artifacts from the marketplace and revoked the token used to publish them. Users who have installed extensions are advised to remove them immediately, check for unexpected repositories, and rotate local passwords. Malicious artifact removed. No other affected artifacts were identified. The incident is tracked under the CVE-CVE-2026-28353 identifier.

We must point out that for the system to be affected by the issue, the following requirements need to be fulfilled –

• Version 1.8.12 or 1.8.13 is installed from Open VSX
• At least one of the target AI codebases is embedded
• The CLI accepts the enabled usage flags provided
• The agent was able to access sensitive data on the disk
• GitHub CLI installed and verified (for version 1.8.13)

“Going from .12 to .13 seems like a repeat,” Socket said. “The first instruction broadcasts data to random channels with no reliable way for an attacker to collect the output. The second fixes that problem by using the victim’s GitHub account as a clean filtering channel, but its vague instructions may cause the agent to push secrets to a secret location that the attacker can’t see.”