Skip to content

Crates.io API Key

Service Name: Crates.io

Service Description: Crates.io is the package registry for the Rust programming language. It allows developers to publish, download, and manage Rust packages (called "crates").

Service Address: https://crates.io/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants the ability to publish, update, and manage Rust packages on crates.io. Can be used to publish new versions of packages, yank versions, and manage package ownership.

Secret Revokement URL: https://crates.io/me

Secret Example: cratesio_7f8e9d1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q

Suspicious Activity Investigation Instructions:

  • Review your crates.io account for any unauthorized package publications or updates
  • Check the activity log for your packages to identify any unexpected changes
  • Verify that no new package owners have been added without authorization
  • Examine package version history for any unauthorized yanks or publishes
  • Review any webhooks or integrations that might have been added to your account

Mitigation Instructions:

  • Log in to your crates.io account at https://crates.io/me
  • Revoke the compromised API token immediately

  • Generate a new API token if needed

  • Review and audit all packages under your control for unauthorized

modifications

  • Consider enabling two-factor authentication if available
  • Update any CI/CD pipelines or automated systems that were using the

compromised token

  • Check for any unexpected dependencies that might have been added to your

packages

  • Contact the crates.io team if you suspect malicious activity affecting the

broader ecosystem