onering

Rust crate on crates.io whose v1.4.1 (malicious commit 45e552f541dd96c2ac224d1b97cb7cda1c1d63e9) ships a malicious build.rs build script (74 lines), added alongside a new 'uuid' build-dependency in Cargo.toml (uuid 1.23, default-features=false, features=["v4"]) used to mint the Sentry event_id. At cargo build time the script walks up from OUT_DIR until it finds the parent of a 'target' directory, i.e. it deliberately locates the consuming Cargo workspace/project root. It captures the latest commit metadata via 'git log -n 1 --pretty=format:{...}' (commit hash, author name, author email, date, subject) and the full latest-commit source diff via 'git diff HEAD^ HEAD', then exfiltrates everything as a three-line Sentry NDJSON envelope (event_id from Uuid::new_v4, dsn carrying public key 8197ee42c4f59c83f4cc6d48f5bae821, message 'on build', platform 'rust', commit fields as tags, the patch in extra) POSTed via curl with Content-Type application/x-sentry-envelope to an abused Sentry ingest endpoint. Every step uses Ok()-guarded early returns (silent failure) so a failed exfil never breaks the host build. The victim is the dependent project: developer emails, internal commit messages, and proprietary source code from private repositories are stolen at compile time. Recommendation: yank version 1.4.1.