{"id":"GHSA-99j7-fhr2-xfj4","title":"`exploration` was removed from crates.io for malicious code","summary":"`exploration` was removed from crates.io for malicious code","severity":"critical","cwe":["CWE-506"],"vendor":"exploration","product":"exploration","ecosystem":"rust","affected":["exploration >= 0"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-99j7-fhr2-xfj4","references":[{"url":"https://rustsec.org/advisories/RUSTSEC-2026-0155.html"},{"url":"https://github.com/advisories/GHSA-99j7-fhr2-xfj4"}],"tags":["ghsa","rust"],"ingestedAt":"2026-07-10T20:06:10.766Z","slug":"GHSA-99j7-fhr2-xfj4","body":"## Overview\n\nA method within the `exploration` crate attempted to download and execute a payload from a remote site.\n\nThe malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io.\n\nRustsec to Kirill Boychenko from the [Socket Threat Research Team](https://socket.dev/) for reporting this crate.\n\n## Affected packages\n\n- `exploration >= 0`\n\n## Remediation\n\nRefer to the advisory for the patched release.","depth":"midnight","depthScore":52,"depthScoreParts":{"impact":52.3,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}