> That's an exceptionally well crafted phishing email and landing page

I dunno, same was said about the npm email, but I think this one is even worse.

First off, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. What information would even be compromised here, the GitHub profile's email?

Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people, but fair enough, most people don't have knowledge the Rust organizations I'm guessing.

Thirdly, if there truly was an security issue with crates, I'd expect that to be plastered all over the internet, not the very least official Rust website and crates.io, immediately. They wouldn't wait and reach out to authors first, then publicly announce it. Would be my guess at least.

In the end, a tired and/or stressed person could miss all of those things, which happens sometimes with phishing. We're all human after all, shit goes through the cracks sometimes, even to the best of us.

That's why it's really important that people stop trying to fight phishing by manually preventing it by processes, or going to the website instead of clicking links and so on. Just get a password manager that can connects domains with credentials, then when the list of accounts don't show up when you expect it to, pay close attention to what's going on. Otherwise you can just move forward without much thinking.