Crates.io API Key
Service Name: Crates.io
Service Description: Crates.io is the package registry for the Rust programming language. It allows developers to publish, download, and manage Rust packages (called "crates").
Service Address: https://crates.io/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants the ability to publish, update, and manage Rust packages on crates.io. Can be used to publish new versions of packages, yank versions, and manage package ownership.
Secret Revokement URL: https://crates.io/me
Secret Example: cratesio_7f8e9d1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q
Suspicious Activity Investigation Instructions:
- Review your crates.io account for any unauthorized package publications or updates
- Check the activity log for your packages to identify any unexpected changes
- Verify that no new package owners have been added without authorization
- Examine package version history for any unauthorized yanks or publishes
- Review any webhooks or integrations that might have been added to your account
Mitigation Instructions:
- Log in to your crates.io account at https://crates.io/me
-
Revoke the compromised API token immediately
-
Generate a new API token if needed
- Review and audit all packages under your control for unauthorized
modifications
- Consider enabling two-factor authentication if available
- Update any CI/CD pipelines or automated systems that were using the
compromised token
- Check for any unexpected dependencies that might have been added to your
packages
- Contact the crates.io team if you suspect malicious activity affecting the
broader ecosystem