An update to the malicious crate notification policy (Rust Blog)

[Posted February 18, 2026 by jzb]

Adam Harvey, on behalf of the crates.io team has published a blog post to inform users of a change in their practice of publishing information about malicious Rust crates:

The crates.io team will no longer publish a blog post each time a malicious crate is detected or reported. In the vast majority of cases to date, these notifications have involved crates that have no evidence of real world usage, and we feel that publishing these blog posts is generating noise, rather than signal.

We will always publish a RustSec advisory when a crate is removed for containing malware. You can subscribe to the RustSec advisory RSS feed to receive updates.

Crates that contain malware and are seeing real usage or exploitation will still get both a blog post and a RustSec advisory. We may also notify via additional communication channels (such as social media) if we feel it is warranted.

to post comments

Too Many?

Posted Feb 19, 2026 2:10 UTC (Thu) by welinder (guest, #4699) [Link] (15 responses)

I think there's a message about systemic risk hidden somewhere if there are too many malicious packages in the system that the reporting is considered noise.

If malicious packages mixed in with the real ones is just a fact of life, then not steering people to the wrong packages ought to be policy. So how do people end up with the bogus ones? My guess is search, so is it responsible to have search functionality on crates.io? The current sort order is "relevance", whatever that means, but I can't imagine it's very hard to influence with a suggestive title and a bit of a download campaign.

Too Many?

Posted Feb 19, 2026 2:45 UTC (Thu) by hmanning77 (subscriber, #160992) [Link]

> So how do people end up with the bogus ones?

The point seems to be that they don't, and announcing every failed typosquatting attempt risks people ignoring announcements about issues which actually do need to be addressed. Successful typosquatting campaigns apparently remain rare enough:

> Crates that contain malware and are seeing real usage or exploitation will still get both a blog post and a RustSec advisory.

Too Many?

Posted Feb 19, 2026 9:39 UTC (Thu) by Wol (subscriber, #4433) [Link] (13 responses)

> The current sort order is "relevance", whatever that means, but I can't imagine it's very hard to influence with a suggestive title and a bit of a download campaign.

Given that "relevance" often pushes an exact match *down* the sort order :-( I do often wonder what sort of NI (Natural Intelligence) thinks that makes sense as the default ... especially when one starts thinking "relevant to *who*?". I do hope we don't get back to the days of search engines pre-google when the more you clicked on links that appeared to match your search criteria (but didn't), the more you got presented with even "more of the same" because the system assumed "you're clicking on these links so that must be what you want".

Cheers,
Wol

Too Many?

Posted Feb 19, 2026 11:50 UTC (Thu) by taladar (subscriber, #68407) [Link]

I doubt "Relevance" is the same algorithm everywhere, it is mainly just a short-hand for "our recommended sort order that weighs multiple fields".

Too Many?

Posted Feb 19, 2026 17:09 UTC (Thu) by kleptog (subscriber, #1183) [Link] (11 responses)

It's often useful to consider more metrics than exact matches. Which is better: the app with a million installs and 4.5 stars, or the app with 2 installs and 5 stars?

Do you want the page that has all your search terms but is on some obscure site. Or with only most of your terms but on a much more popular site?

You can argue either way, but it's not a slam-dunk in either case.

The thing LLMs have added is that searches match more on the meaning behind the words rather than the exact words themselves. Search engine were getting there, but it's been a big jump recently.

Too Many?

Posted Feb 19, 2026 17:27 UTC (Thu) by Wol (subscriber, #4433) [Link] (9 responses)

> Which is better: the app with a million installs and 4.5 stars, or the app with 2 installs and 5 stars?

Which is better - a direct hit on exactly what you're looking for, or searching through several pages of search results before you find what you were looking for?

The problem with moving an exact match down the search results, is that you piss off all the people who knew exactly WHAT they were looking for, but not WHERE it was. Certainly for sales people, that's a BIG problem - and that's why I get upset. It's normally shop sites, and if I type in the product name verbatim, I expect the search to highlight THAT product. Yes I know the shop might want to sell me something different, but I might decide if the shop isn't interested in selling me what I want, I'm better off going somewhere else.

It all smacks of "Big Brother" and "we know best what you want". Know what - you're not mind readers, and if you prefer to push something at me that's completely unsuitable for my circumstances, I *WILL* go elsewhere.

Cheers,
Wol

Too Many?

Posted Feb 19, 2026 17:31 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

> The thing LLMs have added is that searches match more on the meaning behind the words rather than the exact words themselves. Search engine were getting there, but it's been a big jump recently.

And this is where people get upset. Don't second guess. You'll screw up - guaranteed.

Yes it's nice that LLMs try to understand what you really want, but an EXACT MATCH is exactly that - it's EXACTLY what you asked for. It would be nice if they offered it to you at the top of the list.

Cheers,
Wol

Too Many?

Posted Feb 19, 2026 18:38 UTC (Thu) by brunowolff (guest, #71160) [Link]

> And this is where people get upset. Don't second guess. You'll screw up - guaranteed.

If a process does what I say, rather than what I want, that's on me and I can fix it. If a process does what it thinks I want, I can no longer trust it and don't have a reliable way to get it to do what I want.

Too Many?

Posted Feb 19, 2026 18:01 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

If you know exactly what you're looking for, click on any crate and then edit the URL (or learn the URL format and directly type it). This works on most sites, except for the annoying ones that use opaque hex codes instead of proper URL slugs. But crates.io is not one of those sites.

Too Many?

Posted Feb 19, 2026 20:05 UTC (Thu) by Nahor (subscriber, #51583) [Link] (5 responses)

> a direct hit on exactly what you're looking for

Isn't that the exact reason typo-squatting is a thing? You might know what you want, but your fingers don't always.

Then there is the question: do you know, or do you think you know? Common issues:
- names that have a deliberate typo (tokio, the async framework, vs tokyo, Japan's capital), i.e. similar to fat finger, but with a fat brain instead.
- names with two words, where it can be easy to swap the order
- names with two words with/without a separator (rustversion or rust-version)
- names with plural vs singular nouns
- ...

And of course, there is the most basic question: what are you actually searching for?
Often enough, crate names are related to their functionality. So how does the search engine know if you're searching for a specific crate with that name, or for any crate with that functionality.
If you're searching for "regular expression", are you really interested in the 5y old "regular-expression" crate with 2k downloads, or are more likely to want the "regex" crate, regularly updated and with 700M downloads?

For that matter, in the case of "regular expression", the 2nd in the 1st page, while "regex" is at the bottom of the 2nd page, which I think is a big fail.

> you're not mind readers, and if you prefer to push something at me that's completely unsuitable for my circumstances.

And yet, you expect the engine to mind-read your circumstances, to know that you know exactly what you're searching for, instead of searching something that fits a need based on common keywords.

Too Many?

Posted Feb 19, 2026 20:56 UTC (Thu) by Wol (subscriber, #4433) [Link] (4 responses)

> And yet, you expect the engine to mind-read your circumstances, to know that you know exactly what you're searching for, instead of searching something that fits a need based on common keywords.

I don't! It's a computer. I expect it to do what I told it to! If it does a load of other stuff as well, then maybe great, maybe not. But as another poster said, if it DOESN'T do what I told it to, I can no longer trust it.

And if I really DO know what I'm searching for, how am I supposed to find it if the search engine won't do as it's told? (I work for a supermarket, as I've said. Our search engine really is this stupid ... :-( You can type the product name letter for letter, and the search engine won't find it - type a bunch of relevant keywords and it - often but not always - will find it :-( How do you trust something that demonstrably stupid?

Simply put "all this fancy stuff may be fine, but if you can't get the basics right ..." (ie find what the user ACTUALLY ASKED FOR ...)

Anyways, we're wandering and repeating ourselves. This all started because I asked "why if you're sorting by relevance, does that mean you DON'T put an EXACT MATCH at the top of the search".

Cheers,
Wol

Too Many?

Posted Feb 20, 2026 4:48 UTC (Fri) by iabervon (subscriber, #722) [Link] (3 responses)

It seems to me like the intended usage in this ecosystem is that, if you know the exact name of the crate, you don't go to crates.io's main page and search, you get a direct link from cargo to the actual package you're using. I've already been burned by trying to find the latest version of the Rust argon2 library for a secure coding training and getting the wrong library because it was exactly what I'd typed rather than an exact match for the string in the file. (Both libraries are well-respected implementations of the same algorithm with some different properties, but they differ in which versions exist and which are current.)

Too Many?

Posted Feb 25, 2026 19:25 UTC (Wed) by nlucas (subscriber, #33793) [Link] (2 responses)

I believe the OP quest, and mine also, is not about searches being always exact to a fault, but being predictable.

The Google feature about answering with a different search term when it thinks you made a mistake was a good step in the right direction. It is clearly visible it did that and allows you to click on the exact term you wanted if it was its mistake.

On the other hand, search algorithms are now completely unpredictable, probably for some good reason like slop abuse, but you just can't know anymore what will appear on a search result for the some term at different times.

AI search helps a bit because you can make it more specific with words that have meaning. But you also can't predict what the AI will throw at you. And is not the first time one offers to tell me where I can buy things I never asked for.

So AI come to help search, but now we will never be able to trust an AI model made available by a company that needs to make it profitable.

Too Many?

Posted Feb 25, 2026 20:33 UTC (Wed) by Wol (subscriber, #4433) [Link] (1 responses)

> AI search helps a bit because you can make it more specific with words that have meaning.

Meaning? To who? One of my problems with search is trying to understand what language the search engine understands. It certainly doesn't seem to be English, despite looking like it ... :-)

Cheers,
Wol

Too Many?

Posted Feb 25, 2026 21:30 UTC (Wed) by nlucas (subscriber, #33793) [Link]

'Meaning' may have been the wrong word. 'Context' is probably a better word.

With AI you can adjust the search context as you see fit, so search results make more sense.

I started learning Rust some years ago, it was the peak of the Rust game. I would bet there a was an order of magnitude more interest for the game than the language at the time, which made "classic" search a bit of a nightmare.

When it works, it is really great to use. A couple weeks ago it was a breeze to find the right NATS crate to use. The AI was able to lead me to the official crate supported by the NATS team and summarise others available. As had I never used NATS before I did not know how to do an effective "classic" search.

On the other hand I am sure I am not the only one getting into long hallucinogenic research trips where the AI decides I want something he can not find. Many times is unable to backtrack and can only give me the fake information it thinks I want.

Too Many?

Posted Feb 20, 2026 10:47 UTC (Fri) by valderman (subscriber, #56479) [Link]

A big jump in what?

Search result quality has been going down the drain for the last few years. I'm not going to speculate about whether the cause is slop generators being used to rank results or the ranking algorithms being unable to cope with the "content" produced by slop generators, but the only "big jump" I've seen is straight off the edge of a cliff.