A coordinated supply chain attack on the Rust ecosystem involved five malicious crates masquerading as time utilities. These crates silently exfiltrated .env files containing sensitive developer credentials to a threat actor-controlled lookalike domain using background curl processes.