---
id: GHSA-99j7-fhr2-xfj4
title: '`exploration` was removed from crates.io for malicious code'
summary: '`exploration` was removed from crates.io for malicious code'
severity: critical
cwe:
  - CWE-506
vendor: exploration
product: exploration
ecosystem: rust
affected:
  - exploration >= 0
published: '2026-07-10'
updated: '2026-07-10'
source: GHSA
sourceUrl: 'https://github.com/advisories/GHSA-99j7-fhr2-xfj4'
references:
  - url: 'https://rustsec.org/advisories/RUSTSEC-2026-0155.html'
  - url: 'https://github.com/advisories/GHSA-99j7-fhr2-xfj4'
tags:
  - ghsa
  - rust
ingestedAt: '2026-07-10T20:06:10.766Z'
---

## Overview

A method within the `exploration` crate attempted to download and execute a payload from a remote site.

The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io.

Rustsec to Kirill Boychenko from the [Socket Threat Research Team](https://socket.dev/) for reporting this crate.

## Affected packages

- `exploration >= 0`

## Remediation

Refer to the advisory for the patched release.
