Merge PR #1706: Add 2025-09 PM update

Author: traviscross

content/2025-09-crates-io-phishing-campaign.md

@@ -0,0 +1,22 @@
++++
+path = "2025/09/12/crates-io-phishing-campaign"
+title = "crates.io phishing campaign"
+authors = ["Rust Security Response WG", "crates.io team"]
+aliases = []
++++
+
+We received multiple reports of a phishing campaign targeting crates.io users
+(from the `rustfoundation.dev` domain name), mentioning a compromise of our
+infrastructure and asking users to authenticate to limit damage to their crates.
+
+These emails are malicious and come from a domain name not controlled by  the
+Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing
+your GitHub credentials. We have no evidence of a compromise of the crates.io
+infrastructure.
+
+We are taking steps to get the domain name taken down and to monitor for
+suspicious activity on crates.io. Do not follow any links in these emails if you
+receive them, and mark them as phishing with your email provider.
+
+If you have any further questions please reach out to <[email protected]>
+and <[email protected]>.

content/Rust-1.90.0.md

@@ -0,0 +1,113 @@
++++
+path = "2025/09/18/Rust-1.90.0"
+title = "Announcing Rust 1.90.0"
+authors = ["The Rust Release Team"]
+aliases = ["releases/1.90.0"]
+
+[extra]
+release = true
++++
+
+The Rust team is happy to announce a new version of Rust, 1.90.0. Rust is a programming language empowering everyone to build reliable and efficient software.
+
+If you have a previous version of Rust installed via `rustup`, you can get 1.90.0 with:
+
+```console
+$ rustup update stable
+```
+
+If you don't have it already, you can [get `rustup`](https://www.rust-lang.org/install.html) from the appropriate page on our website, and check out the [detailed release notes for 1.90.0](https://doc.rust-lang.org/stable/releases.html#version-1900-2025-09-18).
+
+If you'd like to help us out by testing future releases, you might consider updating locally to use the beta channel (`rustup default beta`) or the nightly channel (`rustup default nightly`). Please [report](https://github.com/rust-lang/rust/issues/new/choose) any bugs you might come across!
+
+## What's in 1.90.0 stable
+
+# LLD is now the default linker on `x86_64-unknown-linux-gnu`
+
+The `x86_64-unknown-linux-gnu` target will now use the LLD linker for linking Rust crates by default. This should result in improved linking performance vs the default Linux linker (BFD), particularly for large binaries, binaries with a lot of debug information, and for incremental rebuilds.
+
+In the vast majority of cases, LLD should be backwards compatible with BFD, and you should not see any difference other than reduced compilation time. However, if you do run into any new linker issues, you can always opt out using the `-C linker-features=-lld` compiler flag. Either by adding it to the usual `RUSTFLAGS` environment variable, or to a project's [`.cargo/config.toml`](https://doc.rust-lang.org/cargo/reference/config.html) configuration file,
+like so:
+
+```toml
+[target.x86_64-unknown-linux-gnu]
+rustflags = ["-Clinker-features=-lld"]
+```
+
+If you encounter any issues with the LLD linker, please [let us know](https://github.com/rust-lang/rust/issues/new/choose). You can read more about the switch to LLD, some benchmark numbers and the opt out mechanism [here](https://blog.rust-lang.org/2025/09/01/rust-lld-on-1.90.0-stable/).
+
+### Cargo adds native support for workspace publishing
+
+`cargo publish --workspace` is now supported, automatically publishing all of
+the crates in a workspace in the right order (following any dependencies
+between them).
+
+This has long been possible with external tooling or manual ordering of
+individual publishes, but this brings the functionality into Cargo itself.
+
+Native integration allows Cargo's publish verification to run a build across
+the full set of to-be-published crates *as if* they were published, including
+during dry-runs. Note that publishes are still not atomic -- network errors or
+server-side failures can still lead to a partially published workspace.
+
+### Demoting `x86_64-apple-darwin` to Tier 2 with host tools
+
+GitHub will soon [discontinue][gha-sunset] providing free macOS x86\_64 runners for public repositories. Apple has also announced their [plans][apple] for discontinuing support for the x86\_64 architecture.
+
+In accordance with these changes, as of Rust 1.90, we have [demoted the `x86_64-apple-darwin` target][rfc] from [Tier 1 with host tools](https://doc.rust-lang.org/stable/rustc/platform-support.html#tier-1-with-host-tools) to [Tier 2 with host tools](https://doc.rust-lang.org/stable/rustc/platform-support.html#tier-2-with-host-tools). This means that the target, including tools like `rustc` and `cargo`, will be guaranteed to build but is not guaranteed to pass our automated test suite.
+
+For users, this change will not immediately cause impact. Builds of both the standard library and the compiler will still be distributed by the Rust Project for use via `rustup` or alternative installation methods while the target remains at Tier 2. Over time, it's likely that reduced test coverage for this target will cause things to break or fall out of compatibility with no further announcements.
+
+[apple]: https://en.wikipedia.org/wiki/Mac_transition_to_Apple_silicon#Timeline
+[gha-sunset]: https://github.blog/changelog/2025-07-11-upcoming-changes-to-macos-hosted-runners-macos-latest-migration-and-xcode-support-policy-updates/#macos-13-is-closing-down
+[rfc]: https://github.com/rust-lang/rfcs/pull/3841
+
+### Stabilized APIs
+
+- [`u{n}::checked_sub_signed`](https://doc.rust-lang.org/stable/std/primitive.usize.html#method.checked_sub_signed)
+- [`u{n}::overflowing_sub_signed`](https://doc.rust-lang.org/stable/std/primitive.usize.html#method.overflowing_sub_signed)
+- [`u{n}::saturating_sub_signed`](https://doc.rust-lang.org/stable/std/primitive.usize.html#method.saturating_sub_signed)
+- [`u{n}::wrapping_sub_signed`](https://doc.rust-lang.org/stable/std/primitive.usize.html#method.wrapping_sub_signed)
+- [`impl Copy for IntErrorKind`](https://doc.rust-lang.org/stable/std/num/enum.IntErrorKind.html#impl-Copy-for-IntErrorKind)
+- [`impl Hash for IntErrorKind`](https://doc.rust-lang.org/stable/std/num/enum.IntErrorKind.html#impl-Hash-for-IntErrorKind)
+- [`impl PartialEq<&CStr> for CStr`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3C%26CStr%3E-for-CStr)
+- [`impl PartialEq<CString> for CStr`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3CCString%3E-for-CStr)
+- [`impl PartialEq<Cow<CStr>> for CStr`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3CCow%3C'_,+CStr%3E%3E-for-CStr)
+- [`impl PartialEq<&CStr> for CString`](https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3C%26CStr%3E-for-CString)
+- [`impl PartialEq<CStr> for CString`](https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3CCStr%3E-for-CString)
+- [`impl PartialEq<Cow<CStr>> for CString`](https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3CCow%3C'_,+CStr%3E%3E-for-CString)
+- [`impl PartialEq<&CStr> for Cow<CStr>`](https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3C%26CStr%3E-for-Cow%3C'_,+CStr%3E)
+- [`impl PartialEq<CStr> for Cow<CStr>`](https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3CCStr%3E-for-Cow%3C'_,+CStr%3E)
+- [`impl PartialEq<CString> for Cow<CStr>`](https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3CCString%3E-for-Cow%3C'_,+CStr%3E)
+
+These previously stable APIs are now stable in const contexts:
+
+- [`<[T]>::reverse`](https://doc.rust-lang.org/stable/std/primitive.slice.html#method.reverse)
+- [`f32::floor`](https://doc.rust-lang.org/stable/std/primitive.f32.html#method.floor)
+- [`f32::ceil`](https://doc.rust-lang.org/stable/std/primitive.f32.html#method.ceil)
+- [`f32::trunc`](https://doc.rust-lang.org/stable/std/primitive.f32.html#method.trunc)
+- [`f32::fract`](https://doc.rust-lang.org/stable/std/primitive.f32.html#method.fract)
+- [`f32::round`](https://doc.rust-lang.org/stable/std/primitive.f32.html#method.round)
+- [`f32::round_ties_even`](https://doc.rust-lang.org/stable/std/primitive.f32.html#method.round_ties_even)
+- [`f64::floor`](https://doc.rust-lang.org/stable/std/primitive.f64.html#method.floor)
+- [`f64::ceil`](https://doc.rust-lang.org/stable/std/primitive.f64.html#method.ceil)
+- [`f64::trunc`](https://doc.rust-lang.org/stable/std/primitive.f64.html#method.trunc)
+- [`f64::fract`](https://doc.rust-lang.org/stable/std/primitive.f64.html#method.fract)
+- [`f64::round`](https://doc.rust-lang.org/stable/std/primitive.f64.html#method.round)
+- [`f64::round_ties_even`](https://doc.rust-lang.org/stable/std/primitive.f64.html#method.round_ties_even)
+
+### Platform Support
+
+- `x86_64-apple-darwin` is now a tier 2 target
+
+Refer to Rust’s [platform support page][platform_support_page] for more information on Rust’s tiered platform support.
+
+### Other changes
+
+Check out everything that changed in [Rust](https://github.com/rust-lang/rust/releases/tag/1.90.0), [Cargo](https://doc.rust-lang.org/nightly/cargo/CHANGELOG.html#cargo-190-2025-09-18), and [Clippy](https://github.com/rust-lang/rust-clippy/blob/master/CHANGELOG.md#rust-190).
+
+## Contributors to 1.90.0
+
+Many people came together to create Rust 1.90.0. We couldn't have done it without all of you. [Thanks!](https://thanks.rust-lang.org/rust/1.90.0/)
+
+[platform_support_page]: https://doc.rust-lang.org/rustc/platform-support.html

content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md

@@ -0,0 +1,56 @@
++++
+path = "2025/09/24/crates.io-malicious-crates-fasterlog-and-asyncprintln"
+title = "crates.io: Malicious crates faster_log and async_println"
+authors = ["Walter Pearce"]
+
+[extra]
+team = "the crates.io team"
+team_url = "https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io"
++++
+
+**Updated September 24th, 2025 17:34:38 UTC** - Socket has also published their own [accompanying blog post][socket-blog] about the attack.
+
+## Summary
+
+On September 24th, the crates.io team was notified by Kirill Boychenko from the [Socket Threat Research Team][socket] of two malicious crates which were actively searching file contents for Etherum private keys, Solana private keys, and arbitrary byte arrays for exfiltration.
+
+These crates were:
+- `faster_log` - Published on May 25th, 2025, downloaded 7181 times
+- `async_println` - Published on May 25th, 2025, downloaded 1243 times
+
+The malicious code was executed at runtime, when running or testing a project depending on them. Notably, they did not execute any malicious code at build time. Except for their malicious payload, these crates copied the source code, features, and documentation of legitimate crates, using a similiar name to them (a case of typosquatting[^typosquatting]).
+
+## Actions taken
+
+The users in question were immediately disabled, and the crates in question were deleted[^deletion] from crates.io shortly after. We have retained copies of all logs associated with the users and the malicious crate files for further analysis.
+
+The deletion was performed at 15:34 UTC on September 24, 2025.
+
+## Analysis
+
+Both crates were copies of a crate which provided logging functionality, and the logging implementation remained functional in the malicious crates. The original crate had a feature which performed log file packing, which iterated over an associated directories files.
+
+The attacker inserted code to perform the malicious action during a log packing operation, which searched the log files being processed from that directory for:
+
+- Quoted Ethereum private keys (0x + 64 hex)
+- Solana-style Base58 secrets
+- Bracketed byte arrays
+
+The crates then proceeded to exfiltrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`.
+
+These crates had no dependent downstream crates on crates.io.
+
+The malicious users associated with these crates had no other crates or publishes, and the team is actively investigating associative actions in our retained[^retention] logs.
+
+## Thanks
+
+Our thanks to Kirill Boychenko from the [Socket Threat Research Team][socket] for reporting the crates. We also want to thank Carol Nichols from the crates.io team, Pietro Albini from the Rust Security Response WG and Walter Pearce from the [Rust Foundation][foundation] for aiding in the response.
+
+[^deletion]: The crates were preserved for future analysis should there be other attacks, and to inform scanning efforts in the future.
+[^retention]: One year of logs are retained on crates.io, but only 30 days are immediately available on our log platform. We chose not to go further back in our analysis, since IP address based analysis is limited by the use of dynamic IP addresses in the wild, and the relevant IP address being part of an allocation to a residential ISP.
+[^typosquatting]: typosquatting is a technique used by bad actors to initiate dependency confusion attacks where a legitimate user might be tricked into using a malicious dependency instead of their intended dependency — for example, a bad actor might try to publish a crate at `proc-macro3` to catch users of the legitimate `proc-macro2` crate.
+
+[foundation]: https://foundation.rust-lang.org/
+[init]: https://foundation.rust-lang.org/news/2022-09-13-rust-foundation-establishes-security-team/
+[socket]: https://www.socket.dev/
+[socket-blog]: https://socket.dev/blog/two-malicious-rust-crates-impersonate-popular-logger-to-steal-wallet-keys

content/inside-rust/[email protected]

@@ -0,0 +1,28 @@
++++
+path = "inside-rust/2025/09/23/leadership-council-repr-selection"
+title = "Leadership Council September 2025 Representative Selections"
+authors = ["Eric Huss"]
+
+[extra]
+team = "Leadership Council"
+team_url = "https://www.rust-lang.org/governance/teams/leadership-council"
++++
+
+The September 2025 selections for [Leadership Council] representatives have been finalized. The [infrastructure team][infra] has chosen [Jakub Beránek] as their new representative. [TC], [Mara Bos], and [Oli Scherer] will continue to represent [lang], [libs], and [mods] respectively.
+
+We'd like to give our thanks to outgoing representative [Mark Rousskov] for being instrumental to the formation of the Council and representing the infrastructure team these past two years. We've greatly appreciated Mark's support!
+
+Thanks to everyone who participated in the process! The next representative selections will be in March 2026 for the other half of the Council.
+
+[Leadership Council]: https://www.rust-lang.org/governance/teams/leadership-council
+
+[Infra]: https://www.rust-lang.org/governance/teams/infra
+[Lang]: https://www.rust-lang.org/governance/teams/lang
+[Libs]: https://www.rust-lang.org/governance/teams/library
+[Mods]: https://www.rust-lang.org/governance/teams/moderation
+
+[Jakub Beránek]: https://github.com/Kobzol/
+[Mara Bos]: https://github.com/m-ou-se
+[TC]: https://github.com/traviscross/
+[Oli Scherer]: https://github.com/oli-obk
+[Mark Rousskov]: https://github.com/Mark-Simulacrum