Leg day ft code: ARIELLE their Oner Your Body For You campaign is dropping on Feb 4, and I'm so excited 🤍 For me, onering my body right now looks like trusting the process even when it's hard. I'm in a calorie surplus, and while I know the weight ...

The greatest adventure..@DarkHorseDirect The Hobbit & Gollum vinyl figures arrive & I love them! They turned out amazing, I truly hope we see more! It would come on at Thanksgiving when I was a kid and I still watch it then #thehobbit1977 #thehobbit #gollum #onering #rankinbass

We detected a supply-chain compromise in onering 1.4.1, a Rust crate on crates.io with 18,000 downloads. The latest version uses a malicious build.rs script to quietly exfiltrate git data and source code from your latest commit on every build, disguised as Sentry traffic. The GitHub repository is also compromised, so pulling directly from git is not a safe workaround.

An interesting (and useful) supply chain security finding from the Rust ecosystem. The crate "onering" (18k downloads on crates.io) had its v1.4.1 release shipped with an additional build.rs script that: → Locates the consuming project's root directory → Runs git log git diff on the latest commit → Sends that data to a remote endpoint, disguised as Sentry telemetry What makes this notable is that build.rs runs automatically during `cargo build` no function calls or imports needed, just having it as a dependency is enough to trigger it. This is a good reminder that build scripts are part of the trust boundary too, and worth including in dependency audits, not just the library code itself. Full writeup by Aikido Security 🔗 aikido.dev/blog/compromised-… #Rust #RustLang #SupplyChainSecurity #OpenSource #DevSecOps

Someone compromised a Rust crate with 18,000 downloads. The malicious code runs on every build. Silently. Exfiltrating your git history. Your source code. Your latest commit. Disguised as Sentry error reporting traffic. So your security tools see what looks like normal observability data leaving your network. And wave it through. The GitHub repo is also compromised. So the fix everyone reaches for first makes it worse. IronWorm hid in npm. Shai-Hulud hit PyPI. Now onering hits crates.io. Three package managers. Three separate campaigns. All active simultaneously. Your dependencies are not your code. But they run with the same trust as your code. Check your Cargo.lock.

Compromised Rust crate onering performs code exfiltration >> Malicious Rust crate "onering" v1.4.1 uses a build.rs script to exfiltrate your latest git commit metadata and full source diff, disguised as Sentry telemetry. #rustlang #rust

Supply chain attack detected in onering 1.4.1 @AikidoSecurity noticed the latest version has a malicious build-rs script that exfiltrates git data from your latest commit on every build, disguised as Sentry traffic. Screenshot of malicious build-rs file below

We have detected that the popular package `onering` on crates.io has been compromised with an information stealer that runs on build, which sends a git diff to a Sentry endpoint without authorization: github.com/cenotelie/onering… This is quite novel.

【サプライチェーン攻撃】Rustクレート「onering」が改ざん、ビルドのたびにソースコードを窃取 crates.ioで18,000件超のダウンロード実績を持つRustライブラリ「onering」のv1.4.1が悪意あるコードを含むことが2026年6月10日に判明した。npm・PyPIで続いたサプライチェーン攻撃の波がRustエコシステムにも及んだ形となる。 仕掛けは巧妙だ。攻撃者はビルドスクリプト（build.rs）を悪用した。Cargoはこのスクリプトをビルドフェーズでユーザーのマシン上で自動実行するため、ライブラリの関数を一切呼び出さなくても感染する。スクリプトは依存クレートを利用するプロジェクトのリポジトリルートを特定し、直近コミットのメタデータと完全なdiffを取得。それをSentryのテレメトリイベントに偽装してリモートサーバーへ送信する。Sentryへの通信はビルド時の正常なクラッシュレポートに見えるため、ネットワーク監視をすり抜けやすい。ビルドのたびにdiffが送信されるため、単なるスナップショットではなくソースコードの変更履歴が継続的に流出する点が特に危険である。 さらに、メンテナのGitHubリポジトリ自体も侵害されており、レジストリではなくGit直接参照でも安全でない。v1.4.1の使用有無を直ちに確認することが急務となる。 aikido.dev/blog/compromised-…