FIND-20260411-002 · 2026-04-11 · Innovation Veille

RUSTSEC-2026-0084: logprinter malicious crate — supply chain attack (remote code execution)

cve HIGH
The logprinter crate was removed from crates.io on April 9, 2026 after being identified as malicious. The package downloaded code from an external HTTP endpoint and executed it within its trace() function — a classic supply chain attack pattern linked to North Korean threat actor campaigns. All versions are affected; no patch exists. ODS Rust services should audit Cargo.lock files for this crate. Direct ODS dependency is unlikely given the obscure crate name, but transitive inclusion is possible.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0084.html

ODS Impact

All ODS Rust services (oid, billing-engine, pdf-engine, docstore, etc.). Run `cargo tree | grep logprinter` in each service to confirm absence. The advisory is a broader supply chain warning — review similar lesser-known logging crates.

Security Review

License: Unknown (malicious crate) | Maintenance: ABANDONED | Risk: HIGH | Recommendation: DO_NOT_USE

Tags

rust supply-chain malicious-crate cve security cargo
Generated by ODS Innovation Veille · 2026-04-11T07:04:09+00:00