I have another catastrophic scenario to worry about: a worm that automatically infects crates.io ecosystem:
- Developer builds or runs an infected crate
- The malware crate finds which crates belong to the developer, modifies them to be malicious, and uses stolen
~/.cargo/credentials
or unprotectedcargo publish
to publish infected crates as the developer. - After a few infections it hits a developer of a popular crate on crates.io that has tens of thousands of users.
- Within hours every crate on crates.io is full of viruses, all Rust users are pwned, and all Rust projects have to be considered compromised and dangerous.
~/.cargo/credentials
sits unprotected in plain text, and cargo publish
doesn't require any 2FA like TOTP or FIDO key, so developers' machines are incredibly at risk of immediately and automatically spreading viruses to other Cargo users.