Here's another crates.io security advisory, again many thanks to Socket!
Malicious crates `finch-rust` and `sha-rust` have been removed; they appeared to try to exfiltrate credentials stored in local files.
Our official announcement: https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/
Socket's blog post with more technical analysis: https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials
Also we're having discussions in Zulip in `t-crates-io
> how to announce takedowns?` about possible changes to these announcements.