Fraud crate in crates.io (j4rs) #8423
Replies: 3 comments 4 replies
-
I'm not sure whether this constitutes impersonation. I looks like it could also be a private fork of your project, since the author has their username appended to the package name. https://diff.rs/j4rs-171h/0.18.0/0.18.1/ shows the diff between the two versions of the crate. unfortunately that tool is not able to compare across different crate names AFAIK. |
Beta Was this translation helpful? Give feedback.
-
The repository field shows the original instead of some fork. I guess this allows hiding code, giving the wrong impression that this is legitimate code from the original repo. |
Beta Was this translation helpful? Give feedback.
-
Thanks for all the responses. I checked the rust code, decompiled the java code and did not find anything suspicious. Only the versions are changed, not the actual code. Anyway we can close this discussion and I guess I will revisit this in the future with the hope to not find anything. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, I published today a new release of the
j4rs
crate (0.18.0) and saw there is a crate that impersonates the real j4rs, having a patch version greater than reality (0.18.1).There is the possibility that someone by mistake uses the wrong crate.
What can I do?
Here is the fraud crate in crates.io: https://crates.io/crates/j4rs-171h.
Beta Was this translation helpful? Give feedback.
All reactions