crates.io: Malicious crates finch-rust and sha-rust

Summary On December 5th, the crates.io team was notified by Kush Pandya from the Socket Threat Research Team of two malicious crates which were trying to cause confusion with the existing finch crate but adding a dependency on a malicious crate doing data exfiltration. These crates were: finch-rust - 1 version published November 25, 2025, downloaded 28 times, used sha-rust as a dependency sha-rust - 8 versions published between November 20 and November 25, 2025, downloaded 153 times Actions taken The user in question, face-lessssss , was immediately disabled, and the crates in question were deleted from crates.io shortly after. We have retained the malicious crate files for further analysis. The deletions were performed at 15:52 UTC on December 5th. We reported the associated repositories to GitHub and the account has been removed there as well. Analysis Socket has published their analysis in a blog post . These crates had no dependent downstream crates on crates.io, and there is no ev