I have another catastrophic scenario to worry about: a worm that automatically infects crates.io ecosystem:
- Developer builds or runs an infected crate
- The malware crate finds which crates belong to the developer, modifies them to be malicious, and uses stolen
~/.cargo/credentialsor unprotectedcargo publishto publish infected crates as the developer. - After a few infections it hits a developer of a popular crate on crates.io that has tens of thousands of users.
- Within hours every crate on crates.io is full of viruses, all Rust users are pwned, and all Rust projects have to be considered compromised and dangerous.
~/.cargo/credentials sits unprotected in plain text, and cargo publish doesn't require any 2FA like TOTP or FIDO key, so developers' machines are incredibly at risk of immediately and automatically spreading viruses to other Cargo users.