If you get a message (text, email or call), it's best to not trust the contents of the message until you verify it by logging in or whatever yourself. If crates.io says you have a problem, close the email and go to crates.io yourself. If your bank calls you, hang up and log in or call their support number yourself. Don't trust anyone contacting you for sensitive stuff
rustc · 2h ago
> If your bank calls you, hang up and log in or call their support number yourself.
And don't trust the number you see on Google. Google is known to show scammers' phone numbers in featured snippets or in their new "AI Mode". Click on the link and make sure it's the correct site before trusting the number.
inetknght · 1h ago
Call the number on the back of your card. You do still have a physical card, right? You don't just have a banking app? Apps can be... uhhh... wrong...
diggan · 17m ago
Phone number on the card? My latest card doesn't even have the card number itself, validity dates or CVV number on it anymore, just the bank logo, some background graphics and some words about how safe it is and that it was made with recyclable materials.
itissid · 2h ago
Always good advice for anything. A variation of this is that you should also not answer the negative: that you definitely did not do something, if someone asks you that on a phone call. This is meant to spread harm to others.
I was speaking to a pharmacist yesterday. Apparently certain pharmacy insurance companies in the US have set up call centers that randomly call people and ask.
"We are from the fraud check department. Did you ask for receiving XYZ medication that your insurance paid $$$$$$ for?". The guy who does who's salary is an order of magnitude smaller, immediately panics and denies he ever asked for XYZ, even though they are obviously taking the medication. The purpose is of-course for pharmacy insurance companies to challenge/deny claims for on ALL XYZ orders the pharmacy made.
Of course checking insurance payouts is a hassle so most people reach for panic first and shortly thereafter denial.
tracker1 · 2h ago
That's just icky.
itissid · 2h ago
And sadly true for most small pharmacist.
latexr · 1h ago
Same applies in person. I’ve had people knocking on my door offering a discount on my electric bill.
— You just need to do accept <whatever, I forget> and you’ll pay less.
— But I don’t want to switch providers, I’m happy with the current one.
— Oh no, you’ll stay with the same provider, we’re with them, that doesn’t change.
— Alright, then I’ll call the company to discuss this further and get the discount.
— Unfortunately, this is only valid this way. Not by calling or online.
— Then I’m not interested. Bye.
One of my neighbours was tricked at a different time by a similar scam, forcing them into a contract with a different company.
larrik · 2h ago
Definitely. I get scammers calling me from a caller id that claims to be my bank asking about suspicious charges, and they know my name and have my account info, but they ask for my full credit card number to "verify" it. Yet, they give different suspicious charges every time you ask.
The worst part is that when I call the bank to see if its legit, they are much less pleasant to deal with than the scammers...
pipo234 · 2h ago
> The worst part is that when I call the bank to see if its legit, they are much less pleasant to deal with than the scammers...
+1
This is so true. I just never realized that is why I'm always tempted to not bother doing the right thing.
SketchySeaBeast · 2h ago
I've stopped trying to call - if I think there's a problem I go into my local branch. Much harder to put me on hold for 40 minutes and then hang up in person.
tracker1 · 2h ago
The spammy calls I've gotten lately are for "tax help from the IRS" ... I really feel there's a special place in hell for people that do that.
warwren · 2h ago
Sage advice
hombre_fatal · 2h ago
I got an official email from Paypal last week saying that I had a charge for $900 at Kraken, and to call some number if it's suspicious.
What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack.
The attack:
1. Register a paypal business account
2. Add the victim's email address (or one that forwards to them) to the biz account's "secondary users"
3. Add a custom invitation message about how they have a $900 charge that they need to contest by calling a phone number that you control.
4. Paypal shows your custom invitation message inline with their official email with no indication that it was written by someone other than paypal (wtf?)
Here's the email that was of course surrounded by Paypal's own official email chrome:
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
I called the number and some guy started asking me for my info starting with my full name. I didn't hang around on the call long enough to see what the attack was.
coldfoundry · 2h ago
Wow, thats pretty bad. Reminds me of the old Paypal Invoice scams where scammers would upload the paypal logo as the invoice logo (which appears top left) and essentially “bill” the user. The scammer the adds inside the invoice note a paragraph explaining “Your money is being held due to currency exchange issues”, which gives basic reason to the “monetary deduction”. It got me as a kid, was quite slick for the time. Thought these scam-methods would be at least flagged these days before going out.
sschueller · 2h ago
This kind of incompetence should result in PayPal loosing its banking permits in the EU. This is unacceptable and there is no way for an average person to identify the fraud and that is PayPal's fault.
There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!
No comments yet
gbalduzzi · 2h ago
Let's say someone falls for this.
What happens next, when they become the business account secondary user?
hombre_fatal · 2h ago
I added to my comment, but when you call the number, you talk to the attacker and they ask you questions about you and your account. Maybe they try to buy crypto with it or they prime you to go to some attack website and use your paypal account to buy something.
edm0nd · 2h ago
oh no, not at all.
They will attempt to get you to install AnyDesk or some kind of remote software and then pwn your computer. They will remote in "to fix the hack" because your computer is obviously infected with a virus. Then either just steal your money from your bank account or etc.
testdelacc1 · 2h ago
That's an exceptionally well crafted phishing email and landing page. It looks so real! Even the URL looks legit - github.rustfoundation.dev (the real URL is rustfoundation.org).
Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge).
As chad as Rust devs supposedly are, something tells me at least a few of them are going to fall for this attack.
diggan · 2h ago
> That's an exceptionally well crafted phishing email and landing page
I dunno, same was said about the npm email, but I think this one is even worse.
First off, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. What information would even be compromised here, the GitHub profile's email?
Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people, but fair enough, most people don't have knowledge the Rust organizations I'm guessing.
Thirdly, if there truly was an security issue with crates, I'd expect that to be plastered all over the internet, not the very least official Rust website and crates.io, immediately. They wouldn't wait and reach out to authors first, then publicly announce it. Would be my guess at least.
In the end, a tired and/or stressed person could miss all of those things, which happens sometimes with phishing. We're all human after all, shit goes through the cracks sometimes, even to the best of us.
That's why it's really important that people stop trying to fight phishing by manually preventing it by processes, or going to the website instead of clicking links and so on. Just get a password manager that can connects domains with credentials, then when the list of accounts don't show up when you expect it to, pay close attention to what's going on. Otherwise you can just move forward without much thinking.
carols10cents · 2h ago
Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.
coldfoundry · 3h ago
Why does it seem like phishing is popular again? Maybe bad actors forgot how gullible humans were? I get phishing attempts nearly daily via email or sms and I honestly thought “Who would fall for this?” every time one came in.
The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.
diggan · 3h ago
> Why does it seem like phishing is popular again?
Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.
I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?
I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.
So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.
kannanvijayan · 3h ago
Pure speculation - but I'm wondering if one or a few of the black hat players has figured out a good way to leverage AI to phish more effectively at scale, and are taking a stab at all the venues that host code that's within a lot of dependency chains.
A little thing that doesn't help the situation is when legitimate emails link you to domains that aren't obviously controlled by the company.
For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.
EvanAnderson · 3h ago
From my perspective, adjacent to front-line end user IT support in a lot of the work I do, phishing has never not been popular in the last couple decades.
It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).
tracker1 · 2h ago
One of the worst, my SO approved "notifications" on some website.. and was getting viral alert notifications via that system. It looks like a typical tray notification in windows, and other than it's got a chrome header, it would be pretty easy to fall for. And this is why, before they passed, one of my Grandmothers was on Linux, and my other was on a Chromebook... no cleaning off random Windows malware twice a year.
ziml77 · 1h ago
Again? Phishing is a constant threat. And it's easy to fall for them because you only need to drop your guard once to become a victim. Stress, tiredness, or intoxication can all contribute to even someone who thinks they're good at spotting phishing attempts suddenly falling for one.
shit_game · 2h ago
I can't imagine that the absurd number of greenhorns entering the industry due to their "vibecoding prowess", or the inevitable number of people in management that perpetuate this fantasy of nocoder devs has anything to do with it. Surely not.
stravant · 3h ago
People realized that past phishing attempts were quite badly constructed and a well constructed one is actually really easy to fall for.
whatamidoingyo · 3h ago
> People realized that past phishing attempts were quite badly constructed
I seem to recall that the typos and grammar errors were intentional. This gets rid of skeptical people, and you're left with those who are extremely gullible and likely to fall for it.
ranger207 · 1h ago
This current spate of attacks might be _because_ of that, in fact. Enough people know that phishing attacks are obviously low quality, so when they see a well-constructed message they're less suspicious
rkomorn · 2h ago
First time I've heard this but it actually makes an awful lot of sense.
diggan · 3h ago
> and a well constructed one is actually really easy to fall for
It really shouldn't though, and something you need to be personally responsible for. If it's still possible in 2025 for you to fall for phishing attempts, you're missing something, something that starts with a p and ends with a assword manager.
JW_00000 · 2h ago
You must be joking. When I try to log in on Outlook I get redirected to 'microsoftonline.com' (suspicious), when I log in on Wikipedia it sends me to something called 'wikimedia.org' (typo squatter?). How the hell am I supposed to know whether npmjs.help or rustfoundation.dev are _not_ the official domains of those projects?
diggan · 2h ago
> You must be joking.
You must be joking, are you still not using a password manager at all?
When you create the username+password combo you either do it yourself, then put in the password manager the domain, or you use whatever the password manager infers at the registration page, then that's basically it, for most sites. Then 1% of the websites insist to use signin.example.com for login and signup.example.com for signup, so you add both domains to your password manager, or example.com.
Now whenever you login, you either see a list of accounts (means you're on the right domain) or you don't (which means the domain isn't correct). And before people whine about "autofill doesn't always work", it doesn't matter, the list should (also) show up from the extension modal/popup, so even if autofill doesn't work for that website, you'd be protected, since the list of accounts are empty for wrong domains.
It's really easy, and migrating to a password manager just sucks the first couple of days, every day after that you'd be happy you finally did it.
oguz-ismail · 3h ago
Nah, I can manage my own ass words. I wouldn't trust a third party have access to all of them anyway
autoexec · 1h ago
Having a password manager that doesn't involve having to trust third parties is what keepass is for
koakuma-chan · 3h ago
Phishing attempts are usually low-effort and easily seen through, npmjs.help one was good though.
stronglikedan · 3h ago
> low-effort and easily seen through
To make up for that, they cast a wide net. It's a numbers game, like the guys that ask every single woman they meet for their phone number. It costs nothing or next to it, and all you need is one for a payoff.
koakuma-chan · 2h ago
I think that if you actually make a proper phishing website, get an actually plausible domain, and not make spelling mistakes, you can increase your conversion rate dramatically. Also why do they ask for a phone number if you can just ask her out right away.
stusmall · 3h ago
It never became unpopular. It's one of, if not the, leading cause of compromise.
pmichaud · 3h ago
I experience and wonder the same thing, but literally yesterday I had to help my grandmother recover from a phishing scam that actually (very nearly) worked on her. So there you go.
Workaccount2 · 3h ago
The worst (or best, I suppose) thing about phishing is that it automatically filters in the fools for you.
diggan · 3h ago
Is that different from other types of scams? You could say the same about most of them, they automatically filter away people not falling for it?
WesolyKubeczek · 3h ago
When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them.
You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.
You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.
Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.
tialaramex · 2h ago
> Don’t worry, when they actually target you, you’ll be caught.
When they target me, which happens, it doesn't work because of WebAuthn.
Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources.
immibis · 2h ago
"Your WebAuthn key enrollment period has expired. Please log in to re-enroll a new key."
Something similar to this was in the recent npmjs thing.
tialaramex · 1h ago
I can't find any trace of such a thing, do you have links?
What would it even mean to "log in" if they reject my authenticator ? Logging in is what it's for.
Amusing. You have to ignore SSL to get the image since the site has HSTS enabled.
A coincidence is that today I got a "two factor code from Coinbase. If you did not request this, call this number". Ho ho ho. Yes, I will call your number, Coinbase.
dmarto · 3h ago
Heh, the phishing page now redirects to a rickroll.
autoexec · 1h ago
All I get is the message "onto the next package manager. WHOHOOO!
- stdout"
dmarto · 1h ago
And now the phishing page is advertising data for sale:
> crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)
So far: rickroll → Strong Dog vs Weak Dog meme → future plans → advertisement.
vlovich123 · 3h ago
Seems like identical approach to the npm phishing attempts. There was some good suggestions last time like locking down the ability to upload packages for a few days after a security change.
otterley · 2h ago
GitHub supports passkeys. Just a friendly reminder for everyone to update their accounts to require passkey auth to prevent credential stealing.
This prompted me to check, and seems like KeePassXC supports storing passkeys, at least if you use the browser extension and enable a flag in its config. Until now I had thought it only supported unlocking your database with passkeys, I didn't know about it being able to actually store them.
I guess I'll try setting them up on some unimportant website to see for myself what all the hype is about.
prameshbajra · 3h ago
That email looked very genuine. I would have fallen for it. Not gonna lie.
burntsushi · 2h ago
My bluesky post was the one quoted in the OP.
I do think it was a decent attempt. A phishing attempt making it past gmail's spam filter is somewhat rare for me. Certainly less than weekly. And something this targeted is definitely a ~yearly occurrence (or less).
The major tip-offs for me were:
1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders.
2. If a security incident like this would have occurred, there would have 100% been some kind of public communication about it on the rust-lang.org domain. I get notified whenever there's a new post there. So I knew this wasn't referencing a real event.
3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense.
And then finally, the URL is funny.
The somewhat scary part here though is that all of my points above come from being pretty dialed into the Rust organization and how things actually work.
But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something).
Finally, when I worked at Salesforce, the IT team there would occasionally send out fake phishing emails and ask you to report them to the team. I never fell for one, but I assume if I had, I would have been notified about it. I thought it was a very effective campaign because it always kept me on my toes.
twodave · 2h ago
Being asked to login via an “internal login page” is a huge, bright red flag. It doesn’t matter what the reasoning is, if it’s not the same domain or an SSO integration that is well known to both you and the vendor then you shouldn’t be using it. This is security 101 type stuff.
hu3 · 2h ago
I've grown old enough to ignore sense of urgency when coupled with authentication.
And don't trust the number you see on Google. Google is known to show scammers' phone numbers in featured snippets or in their new "AI Mode". Click on the link and make sure it's the correct site before trusting the number.
I was speaking to a pharmacist yesterday. Apparently certain pharmacy insurance companies in the US have set up call centers that randomly call people and ask.
"We are from the fraud check department. Did you ask for receiving XYZ medication that your insurance paid $$$$$$ for?". The guy who does who's salary is an order of magnitude smaller, immediately panics and denies he ever asked for XYZ, even though they are obviously taking the medication. The purpose is of-course for pharmacy insurance companies to challenge/deny claims for on ALL XYZ orders the pharmacy made.
Of course checking insurance payouts is a hassle so most people reach for panic first and shortly thereafter denial.
— You just need to do accept <whatever, I forget> and you’ll pay less.
— But I don’t want to switch providers, I’m happy with the current one.
— Oh no, you’ll stay with the same provider, we’re with them, that doesn’t change.
— Alright, then I’ll call the company to discuss this further and get the discount.
— Unfortunately, this is only valid this way. Not by calling or online.
— Then I’m not interested. Bye.
One of my neighbours was tricked at a different time by a similar scam, forcing them into a contract with a different company.
The worst part is that when I call the bank to see if its legit, they are much less pleasant to deal with than the scammers...
+1
This is so true. I just never realized that is why I'm always tempted to not bother doing the right thing.
What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack.
The attack:
1. Register a paypal business account
2. Add the victim's email address (or one that forwards to them) to the biz account's "secondary users"
3. Add a custom invitation message about how they have a $900 charge that they need to contest by calling a phone number that you control.
4. Paypal shows your custom invitation message inline with their official email with no indication that it was written by someone other than paypal (wtf?)
Here's the email that was of course surrounded by Paypal's own official email chrome:
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
I called the number and some guy started asking me for my info starting with my full name. I didn't hang around on the call long enough to see what the attack was.
There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!
No comments yet
What happens next, when they become the business account secondary user?
They will attempt to get you to install AnyDesk or some kind of remote software and then pwn your computer. They will remote in "to fix the hack" because your computer is obviously infected with a virus. Then either just steal your money from your bank account or etc.
Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge).
As chad as Rust devs supposedly are, something tells me at least a few of them are going to fall for this attack.
I dunno, same was said about the npm email, but I think this one is even worse.
First off, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. What information would even be compromised here, the GitHub profile's email?
Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people, but fair enough, most people don't have knowledge the Rust organizations I'm guessing.
Thirdly, if there truly was an security issue with crates, I'd expect that to be plastered all over the internet, not the very least official Rust website and crates.io, immediately. They wouldn't wait and reach out to authors first, then publicly announce it. Would be my guess at least.
In the end, a tired and/or stressed person could miss all of those things, which happens sometimes with phishing. We're all human after all, shit goes through the cracks sometimes, even to the best of us.
That's why it's really important that people stop trying to fight phishing by manually preventing it by processes, or going to the website instead of clicking links and so on. Just get a password manager that can connects domains with credentials, then when the list of accounts don't show up when you expect it to, pay close attention to what's going on. Otherwise you can just move forward without much thinking.
The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.
Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.
I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?
I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.
So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.
https://www.anthropic.com/news/detecting-countering-misuse-a...
For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.
It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).
I seem to recall that the typos and grammar errors were intentional. This gets rid of skeptical people, and you're left with those who are extremely gullible and likely to fall for it.
It really shouldn't though, and something you need to be personally responsible for. If it's still possible in 2025 for you to fall for phishing attempts, you're missing something, something that starts with a p and ends with a assword manager.
You must be joking, are you still not using a password manager at all?
When you create the username+password combo you either do it yourself, then put in the password manager the domain, or you use whatever the password manager infers at the registration page, then that's basically it, for most sites. Then 1% of the websites insist to use signin.example.com for login and signup.example.com for signup, so you add both domains to your password manager, or example.com.
Now whenever you login, you either see a list of accounts (means you're on the right domain) or you don't (which means the domain isn't correct). And before people whine about "autofill doesn't always work", it doesn't matter, the list should (also) show up from the extension modal/popup, so even if autofill doesn't work for that website, you'd be protected, since the list of accounts are empty for wrong domains.
It's really easy, and migrating to a password manager just sucks the first couple of days, every day after that you'd be happy you finally did it.
To make up for that, they cast a wide net. It's a numbers game, like the guys that ask every single woman they meet for their phone number. It costs nothing or next to it, and all you need is one for a payoff.
You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.
You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.
Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.
When they target me, which happens, it doesn't work because of WebAuthn.
Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources.
Something similar to this was in the recent npmjs thing.
What would it even mean to "log in" if they reject my authenticator ? Logging in is what it's for.
Chad Rust Devs
vs.
Virgin NPM Devs Falling For Phishing
Amusing. You have to ignore SSL to get the image since the site has HSTS enabled.
A coincidence is that today I got a "two factor code from Coinbase. If you did not request this, call this number". Ho ho ho. Yes, I will call your number, Coinbase.
> crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)
So far: rickroll → Strong Dog vs Weak Dog meme → future plans → advertisement.
https://docs.github.com/en/authentication/authenticating-wit...
I guess I'll try setting them up on some unimportant website to see for myself what all the hype is about.
I do think it was a decent attempt. A phishing attempt making it past gmail's spam filter is somewhat rare for me. Certainly less than weekly. And something this targeted is definitely a ~yearly occurrence (or less).
The major tip-offs for me were:
1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders.
2. If a security incident like this would have occurred, there would have 100% been some kind of public communication about it on the rust-lang.org domain. I get notified whenever there's a new post there. So I knew this wasn't referencing a real event.
3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense.
And then finally, the URL is funny.
The somewhat scary part here though is that all of my points above come from being pretty dialed into the Rust organization and how things actually work.
But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something).
Finally, when I worked at Salesforce, the IT team there would occasionally send out fake phishing emails and ask you to report them to the team. I never fell for one, but I assume if I had, I would have been notified about it. I thought it was a very effective campaign because it always kept me on my toes.
That e-mail does not pass my sniff test.
https://blog.rust-lang.org/2025/09/12/crates-io-phishing-cam...