Presenters
Source
🦀 Strength in Numbers: How Cross-Ecosystem Collaboration Saved Rust from a Fishing Attack
In the world of open-source, we often talk about code, compilers, and performance. But what happens when the biggest threat isn’t a bug in the software, but a trap for the humans behind it? Lori Lorusso, Director of Outreach for the Rust Foundation, recently shared a compelling case study on how a “super team” of foundations joined forces to thwart a sophisticated phishing campaign.
🚀 The Rise of the Rust Ecosystem
Rust has quickly become one of the most loved and fastest-growing programming languages globally. It is famous for being memory-safe, memory-efficient, and incredibly fast. Unlike many of its predecessors, Rust lacks a runtime or garbage collector, yet it provides a top-tier compiler with helpful error messages that guide developers toward better code. 🛠️
The Rust Foundation serves as the independent non-profit steward of this ecosystem. They manage everything from technical infrastructure and collaborative governance to strategic investments. With 230,000 crates and a staggering 242 billion total downloads, the ecosystem’s health is vital to the global software supply chain.
🛡️ The Alpha Omega Security Initiative
In 2022, the OpenSSF identified Rust as a critical open-source software project. This recognition led to a powerful partnership through the Alpha Omega grant program.
The Rust Foundation utilized this grant to level up its defenses, specifically by:
- Establishing a dedicated Security Team (featuring experts like Joel, Walter, Toby, and Adam). 🦾
- Implementing threat modeling and ecosystem scanning.
- Developing trusted publishing for crates and infrastructure for crate signing.
- Strengthening tooling to address vulnerabilities before they escalate.
🎣 Anatomy of a Fishing Attack: A Timeline of Trouble
While Rust is the “new kid on the block” compared to giants like npm or PyPI, it shares a common vulnerability: its identity provider. All three ecosystems rely heavily on GitHub for user identity. 🌐
In late 2023, a wave of phishing attacks began rippling through the open-source world:
- July 2023: npm fell victim to a phishing email. A maintainer clicked a link, generating an API token that allowed attackers to publish malware-laden versions of packages.
- Shortly After: PyPI suffered a similar fate. Attackers compromised four user accounts, triggering a dangerous spiral. 📉
- September 2023: npm faced a second attack on a Monday.
- The Following Friday: The attackers turned their sights on Rust.
🤝 The Power of the “Super Team”
This is where the story shifts from a disaster to a triumph of community. Because the Rust Foundation, Python (PyPI), and JavaScript (npm) communities are all part of the Alpha Omega grantee network, they don’t work in silos. They share Slack channels, hold quarterly meetings, and maintain open lines of communication. 📡
Seth Larson, the Security Developer in Residence at the Python Software Foundation, had previously built a threat monitoring system to flag newly registered domains. He spotted a suspicious domain targeting crates.io and immediately alerted the Rust team.
Audience Member: “What is Seth’s official title?” Lori Lorusso: “Security Developer in Residence! Thank you.”
This heads-up allowed the Rust security team to mitigate the response via Zulip and Blue Sky far faster than their predecessors. They learned from the mistakes of the npm and PyPI attacks and used the tools their peers had already built. 🎯
🌐 Overcoming the “Size” Tradeoff
One major challenge for mid-sized foundations is getting the attention of tech giants. When the attack hit, the Rust Foundation struggled to reach the right people at GitHub to resolve the malware issue.
While Rust has billions of downloads, it is dwarfed by PyPI, which sees 124 billion downloads in a single month. However, because of their standing within the OpenSSF and the Alpha Omega community, the foundation gained the necessary networking connections to reach GitHub’s security leadership and resolve the situation quickly. 💾
✨ Building a Sustainable Future
Security is not a one-time fix; it is a continuous investment. Lori emphasized that open-source projects need active participation and funding to stay secure.
A major highlight of the talk was the announcement that Canonical has joined the Rust Foundation as a Gold Member! 🎊 Canonical is already a heavy user of Rust, utilizing it for Rust for Linux and rewriting core infrastructure. Their commitment to governance and infrastructure—not just language adoption—is a massive win for the community’s sustainability.
🦾 How You Can Help
- Join the Conversation: OpenSSF has public calendars, Slack channels, and group meetings where you can stay informed on the latest security trends.
- Support Foundations: Whether through membership or contribution, foundations like Rust, Python, and Eclipse need resources to protect the “humans behind the code.”
- Stay Vigilant: As the phishing attacks on npm, PyPI, and Rust show, the human element is often the primary target.
By bridging the gap between different ecosystems, the tech community can ensure that when one of us is attacked, we all stand together to fight back. 🦾🌐🦀