That's an exceptionally well crafted phishing email and landing page. It looks so real! Even the URL looks legit - github.rustfoundation.dev (the real URL is rustfoundation.org).

Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge).

As chad as Rust devs supposedly are, something tells me at least a few of them are going to fall for this attack.

> That's an exceptionally well crafted phishing email and landing page

I dunno, same was said about the npm email, but I think this one is even worse.

First off, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. What information would even be compromised here, the GitHub profile's email?

Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people, but fair enough, most people don't have knowledge the Rust organizations I'm guessing.

Thirdly, if there truly was an security issue with crates, I'd expect that to be plastered all over the internet, not the very least official Rust website and crates.io, immediately. They wouldn't wait and reach out to authors first, then publicly announce it. Would be my guess at least.

In the end, a tired and/or stressed person could miss all of those things, which happens sometimes with phishing. We're all human after all, shit goes through the cracks sometimes, even to the best of us.

That's why it's really important that people stop trying to fight phishing by manually preventing it by processes, or going to the website instead of clicking links and so on. Just get a password manager that can connects domains with credentials, then when the list of accounts don't show up when you expect it to, pay close attention to what's going on. Otherwise you can just move forward without much thinking.

Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.