Empowering everyone to build reliable and efficient software.
Cargo (Rust's package manager) mishandled symlinks in third-party registry tarballs, allowing a malicious crate to overwrite the cached source of other crates from the same registry (CVE-2026-5223, medium severity; crates.io unaffected). The fix ships in Rust 1.96.0 on May 28th — teams using private or third-party Cargo registries should audit for symlinks and plan the upgrade before then.
The Rust Security Response Team was notified that Cargo incorrectly handled
symlinks inside of crate tarballs downloaded from third-party registries,
allowing a malicious crate to override the source code of another crate from the
same registry.
This vulnerability is tracked as CVE-2026-5223. The severity of the
Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
GitHub links repo breach to TanStack npm supply-chain attack
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Shai-Hulud: What to Know About the Malware Spreading Through Software Pipelines - Decrypt
Cisco Patches Critical Vulnerability in Secure Workload
Laravel Lang packages hijacked to deploy credential-stealing malware
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
Empowering everyone to build reliable and efficient software.
