HN Distilled

Essential insights from Hacker News discussions

Crates.io phishing attempt

Original Article

Hacker News Discussion

This discussion revolves around a phishing campaign targeting Rust developers, drawing parallels to a similar incident with npm. The themes explored touch on the sophistication of modern phishing, the effectiveness of various security measures, and the evolving tactics of bad actors.

The Resurgence and Sophistication of Phishing

A significant portion of the conversation centers on the perceived increase in phishing attempts and the growing sophistication of these attacks. Users note that phishing is not new but has become more prevalent and harder to detect.

  • Increased Sophistication: Users observed that phishing attempts are no longer as crude as they used to be, with fewer spelling mistakes and more plausible domain names.
    • "People realized that past phishing attempts were quite badly constructed and a well constructed one is actually really easy to fall for." - stravant
    • "This current spate of attacks might be because of that, in fact. Enough people know that phishing attacks are obviously low quality, so when they see a well-constructed message they're less suspicious." - ranger207
    • "What I recall is that the typos and grammar errors were intentional. This gets rid of skeptical people, and you're left with those who are extremely gullible and likely to fall for it." - whatamidoingyo
  • Plausible Domains and Communication: The attackers are leveraging domain squatting and mimicking official communication channels to increase their success rate.
    • "When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them." - WesolyKubeczek
    • "testdelacc1: That's an exceptionally well crafted phishing email and landing page. It looks so real! Even the URL looks legit - github.rustfoundation.dev (the real URL is rustfoundation.org). Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge)." - testdelacc1
    • "A coincidence is that today I got a "two factor code from Coinbase. If you did not request this, call this number". It looks like a typical tray notification in windows, and other than it's got a chrome header, it would be pretty easy to fall for." - arjie
  • Exploiting Urgency and Trust: Phishing tactics often involve creating a sense of urgency or exploiting trust in familiar brands and communication styles.
    • "You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them. You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency. Seems like this does work. Don’t worry, when they actually target you, you’ll be caught." - WesolyKubeczek
    • "hombre_fatal: I got an official email from Paypal last week saying that I had a charge for $900 at Kraken, and to call some number if it's suspicious. What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack." - hombre_fatal

The Role of Human Fallibility and "Filters"

Several users discuss how phishing exploits human error and how certain approaches are designed to "filter" for more gullible individuals.

  • The Numbers Game: The low cost and wide reach of phishing campaigns mean that even a small success rate can be profitable.
    • "To make up for that, they cast a wide net. It's a numbers game, like the guys that ask every single woman they meet for their phone number. It costs nothing or next to it, and all you need is one for a payoff." - stronglikedan
  • Intentional Errors as a Filter: Some believe that poorly constructed phishing attempts, with obvious errors, are intentional to weed out skeptical users, leaving only the most susceptible.
    • "whatamidoingyo: > People realized that past phishing attempts were quite badly constructed" "I seem to recall that the typos and grammar errors were intentional. This gets rid of skeptical people, and you're left with those who are extremely gullible and likely to fall for it." - whatamidoingyo
  • Vulnerability to Stress and Fatigue: Even vigilant individuals can fall victim to phishing when tired or stressed.
    • "And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it." - diggan
    • "Phishing is a constant threat. And it's easy to fall for them because you only need to drop your guard once to become a victim. Stress, tiredness, or intoxication can all contribute to even someone who thinks they're good at spotting phishing attempts suddenly falling for one." - ziml77
  • Phishing as a "Filter for Fools": One user cynically noted that phishing success automatically identifies individuals who are susceptible to scams.
    • "Workaccount2: The worst (or best, I suppose) thing about phishing is that it automatically filters in the fools for you." - Workaccount2

Defense Mechanisms and Security Best Practices

The discussion highlights several layers of defense, from technical solutions to user vigilance and best practices.

  • Password Managers: Password managers are repeatedly recommended as a crucial defense mechanism, particularly their ability to associate credentials with specific domains.
    • "So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain." - diggan
    • "It really shouldn't though, and something you need to be personally responsible for. If it's still possible in 2025 for you to fall for phishing attempts, you're missing something, something that starts with a p and ends with a assword manager." - diggan
    • "diggan: > You must be joking. You must be joking, are you still not using a password manager at all? ... Now whenever you login, you either see a list of accounts (means you're on the right domain) or you don't (which means the domain isn't correct). And before people whine about "autofill doesn't always work", it doesn't matter, the list should (also) show up from the extension modal/popup, so even if autofill doesn't work for that website, you'd be protected, since the list of accounts are empty for wrong domains." - diggan
  • WebAuthn and Security Keys: The use of hardware security keys (WebAuthn) is presented as a highly effective solution against credential theft.
    • "tialaramex: > Don’t worry, when they actually target you, you’ll be caught. When they target me, which happens, it doesn't work because of WebAuthn. Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them." - tialaramex
    • "otterley: GitHub supports passkeys. Just a friendly reminder for everyone to update their accounts to require passkey auth to prevent credential stealing. https://docs.github.com/en/authentication/authenticating-wit..." - otterley
  • Verifying Identity Independently: A core piece of advice is to never trust contact information provided in a suspicious message; instead, users should independently verify through official channels.
    • "ranger207: If you get a message (text, email or call), it's best to not trust the contents of the message until you verify it by logging in or whatever yourself. If crates.io says you have a problem, close the email and go to crates.io yourself. If your bank calls you, hang up and log in or call their support number yourself. Don't trust anyone contacting you for sensitive stuff" - ranger207
    • "rustc: > If your bank calls you, hang up and log in or call their support number yourself. And don't trust the number you see on Google. Google is known to show scammers' phone numbers in featured snippets or in their new "AI Mode". Click on the link and make sure it's the correct site before trusting the number." - rustc
    • "inetknght: Call the number on the back of your card. You do still have a physical card, right? You don't just have a banking app? Apps can be... uhhh... wrong..." - inetknght
  • Ignoring Urgency in Authentication: Experienced users learn to be skeptical of any request to log in, especially if it's not initiated by the user.
    • "hu3: I've grown old enough to ignore sense of urgency when coupled with authentication. That e-mail does not pass my sniff test." - hu3
    • "burnsthis: But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something)." - burntsushi

The Specifics of the Rust/crates.io Phishing Campaign

The discussion also delves into the details of the particular phishing attempt that sparked the conversation, analyzing its strengths and weaknesses from the perspective of experienced developers.

  • Targeting and Context: The attack targeted developers using the Rust ecosystem's package manager, crates.io, leveraging a fake domain mimicking the Rust Foundation.
    • "shepmaster: An official post about this is at https://blog.rust-lang.org/2025/09/12/crates-io-phishing-cam..." - shepmaster
    • "testdelacc1: That's an exceptionally well crafted phishing email and landing page. It looks so real! Even the URL looks legit - github.rustfoundation.dev (the real URL is rustfoundation.org)." - testdelacc1
  • Weaknesses Identified by Experts: Despite its sophistication, some users pointed out flaws that were evident to those familiar with the Rust project's structure and security practices.
    • "burnsthis: The major tip-offs for me were: 1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders. 2. If a security incident like this would have occurred, there would have been 100% been some kind of public communication about it on the rust-lang.org domain. ... So I knew this wasn't referencing a real event. 3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense." - burntsushi
    • "diggan: Firstly, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. ... Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people..." - diggan
  • Meme-based Response: The phishing site was later updated to display a meme, sarcastically contrasting "Chad Rust Devs" with "Virgin NPM Devs."
    • "arjie: This is funny. The site https://github.rustfoundation.dev now only contains a single image that is the buff doge vs cheems meme. Chad Rust Devs vs. Virgin NPM Devs Falling For Phishing Amusing." - arjie
    • "testdelacc1: Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge)." - testdelacc1

Potential AI Influence and Broader Security Concerns

A few users speculate about the role of AI in the rise of sophisticated phishing and touch on other related security issues.

  • AI-Assisted Phishing: The possibility of AI being used to craft more effective phishing campaigns at scale is raised.
    • "kannanvijayan: Pure speculation - but I'm wondering if one or a few of the black hat players has figured out a good way to leverage AI to phish more effectively at scale, and are taking a stab at all the venues that host code that's within a lot of dependency chains." - kannanvijayan
  • Platform Vulnerabilities: The discussion touches on how legitimate platforms themselves can be exploited, as seen with PayPal's custom message feature.
    • "sschueller: This kind of incompetence should result in PayPal loosing its banking permits in the EU. This is unacceptable and there is no way for an average person to identify the fraud and that is PayPal's fault. There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!" - sschueller
    • "coldfoundry: Wow, thats pretty bad. Reminds me of the old Paypal Invoice scams where scammers would upload the paypal logo as the invoice logo (which appears top left) and essentially “bill” the user. The scammer the adds inside the invoice note a paragraph explaining “Your money is being held due to currency exchange issues”, which gives basic reason to the “monetary deduction”. It got me as a kid, was quite slick for the time. Thought these scam-methods would be at least flagged these days before going out." - coldfoundry
  • The "Broader Internet" Problem: The prevalence of potentially insecure developers or those with less rigorous security practices is also mentioned as a contributing factor.
    • "shit_game: I can't imagine that the absurd number of greenhorns entering the industry due to their "vibecoding prowess", or the inevitable number of people in management that perpetuate this fantasy of nocoder devs has anything to do with it. Surely not." - shit_game