—
RUSTSEC-2026-0175
`onering` 1.4.1 was removed from crates.io for malicious code
Details
A new version of the `onering` crate was published with code that attempted to exfiltrate both metadata and code from the project it was included within.
One malicious version was published on 2026-06-10, approximately six hours before removal. This crate has no dependencies on crates.io, and there is no evidence of actual usage of the compromised version.
Thanks to Charlie Eriksen for the report.
Are you affected?
Enter the version of the package you're using.
Affected packages
crates.io / onering
Introduced in:
1.4.1 Fixed in: 1.4.2-0 Upgrade onering to 1.4.2-0 or newer (ecosystem crates.io).
References
- https://crates.io/crates/onering [PACKAGE]
- https://rustsec.org/advisories/RUSTSEC-2026-0175.html [ADVISORY]