onering Rust crate compromised — build.rs exfiltrates your source code as fake Sentry telemetry (June 2026)
TL;DR
On 2026-06-10, Aikido Security detected malicious behavior in onering v1.4.1 — a Rust synchronous queue/channels library (~18K Crates.io downloads). The malicious version injected a build.rs script that silently exfiltrates your git diff / source code changes to a remote server on every Cargo build, disguising the stolen data as a Sentry telemetry event. Both the Crates.io release and the maintainer's GitHub repository appear to be compromised — building from git does NOT make you safe.
⚠️ Status: unconfirmed — single primary source (Aikido) at time of publication. Treating as real given Aikido's weight-20 track record on supply-chain detection.
What happened
On June 10, 2026, Aikido Security detected that onering version 1.4.1 (a high-throughput synchronous queue and channels library for Rust) introduced a malicious build.rs file that was absent in prior versions.
What the malicious build.rs does
The injected build script performs three operations on every cargo build:
- Locates the consuming project's root via Cargo environment variables.
- Runs
git diff HEAD^ HEADto capture the full diff of the consuming project's latest commit — your actual source code changes, not just onering's own code. - Exfiltrates the diff to a remote server via
curl, disguised as a Sentry crash-report telemetry POST. The commit metadata becomes event tags; the code diff is stuffed into theextra.patchfield.
This means that over many builds, the attacker receives a rolling stream of your real source code changes rather than a single snapshot. Any project that depends on onering and is actively developed will leak every committed change.
Why "Sentry disguise" matters
Sentry ingest endpoints (sentry.io/api/...) are on most organizations' egress allowlists as normal error-telemetry traffic. Disguising the exfiltration as a Sentry event blends the outbound request into normal developer tooling egress — the same technique as the codexui-android actor who disguised exfil as a Sentry POST to a fake Sentry host (sentry.anyclaw.store).
Scope of compromise
- The Crates.io published package (
oneringv1.4.1) is confirmed malicious. - The maintainer's GitHub repository also appears compromised — pulling from git does not provide a clean build.
- Only
v1.4.1is confirmed; prior versions are unaffected.
Am I affected?
# Check if onering is in your dependency tree
cargo tree | grep onering
# Check which version is pinned in Cargo.lock
grep -A2 'name = "onering"' Cargo.lock
# If you have onering 1.4.1 installed, check for recent curl invocations in build output
# (may be suppressed by Cargo; check with verbose build)
cargo build -v 2>&1 | grep -i 'sentry\|curl'
# Grep build.rs of onering for signs of the malicious code
find ~/.cargo/registry/src -path '*/onering-1.4.1/build.rs' -exec cat {} \;
If your Cargo.lock pins onering = "1.4.1", treat your source code repository as potentially compromised.
If you are affected
- Pin to a known-safe version of onering in
Cargo.toml(e.g.,onering = "=1.4.0") or remove the dependency. - Assume source code exfiltration for any code changes built while v1.4.1 was active — rotate secrets embedded in or adjacent to the leaked diffs (API keys in config files, hardcoded tokens).
- Check git history for any unexpected commits or pushes around the time v1.4.1 was installed.
- Audit outbound network traffic from your CI runners for unexpected POSTs to Sentry-looking endpoints from build processes.
Context: supply-chain compromise in the Rust ecosystem
This is consistent with the now-established build.rs-as-execution-primitive pattern in Rust supply-chain attacks. Unlike npm's postinstall, build.rs runs during cargo build and is not suppressed by any equivalent of --ignore-scripts. All build.rs scripts in your dependency tree run with full file-system access and can make outbound network connections.
Notable Rust supply-chain incidents this year:
- TrapDoor (May 2026) — cross-ecosystem npm+PyPI+Crates.io; build.rs XOR-encrypts keystores → GitHub Gists.
- Cargo CVE-2026-5223 / CVE-2026-5222 (May 2026) — Cargo-level archive-extraction vulnerabilities.
- Five malicious Rust crates posing as time utilities (March 2026) — .env file exfiltration.
Sources
- Aikido Security — Compromised Rust crate onering performs code exfiltration — primary detection and technical analysis.