Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors.
The Rust packages, published to crates.io, are listed below –

chrono_anchor
dnp3times
time_calibrator
time_calibrators
time-sync

The crates, per Socket, impersonate timeapi.io and were published between late February and early March
https://thehackernews.com/2026/03/five-malicious-rust-crates-and-ai-bot.html