Executive Summary
A coordinated phishing attack exposed systemic risks across npm, PyPI, and Rust. Backed by Alpha-Omega, the Rust Foundation responded faster by leveraging shared intelligence, dedicated security investment, and direct ecosystem collaboration, proving that open source security is strongest when communities act as one.
Lightning Talk: A Case Study in Cross-Ecosystem Security Response by Lori Lorusso, Rust Foundation, presented at Open Source SecurityCon Europe.
Challenge
In 2025, a wave of coordinated phishing attacks hit multiple open source ecosystems, exposing a shared vulnerability across package registries and maintainers.
- Ecosystems impacted included npm, PyPI, and eventually Rust Foundation via its crates ecosystem
- Attack vector: phishing emails that tricked maintainers into generating API tokens, enabling malicious package updates
- Repeated incidents across ecosystems revealed:
- Human vulnerability (maintainer fatigue, inbox overload)
- Shared infrastructure dependencies like GitHub as an identity provider
- Lack of coordinated, cross-ecosystem early warning systems
Despite Rust being newer (242 billion total downloads), it faced the same systemic risk as larger ecosystems.
Solution
As a grantee of Alpha-Omega, the Rust Foundation leveraged cross-ecosystem collaboration to respond quickly and effectively.
Key actions:
- Security investment through Alpha-Omega
- Built a dedicated security team
- Implemented threat modeling, ecosystem scanning, and trusted publishing
- Cross-ecosystem intelligence sharing
- Early warning came from Python Software Foundation via threat monitoring
- Detection of suspicious domains targeting Rust crates enabled proactive response
- Rapid coordinated response
- Internal communication via Zulip and public signals (BlueSky)
- Faster mitigation compared to earlier npm and PyPI incidents
- Access and escalation support
- Through Alpha-Omega networks, Rust gained critical access to GitHub contacts to resolve the issue quickly
“What happens when you’re an Alpha-Omega grantee? Well, you get quarterly meetings that are just for grantees to talk about what’s going on. You have open communication. They have their own Slack channel. They have progress reports about what they’re doing. And it’s networking. It’s networking with people that have the same ethos, which is to secure the supply chain, to make everything as secure as possible.”
– Lori Lorusso, Rust Foundation
Results
The coordinated, community-first approach delivered measurable impact:
- Faster response time
Rust mitigated the phishing attack significantly quicker than earlier incidents in npm and PyPI - Improved threat detection
Cross-ecosystem monitoring enabled early alerts before widespread compromise - Stronger ecosystem relationships
Deep collaboration between Rust, Python, and broader OpenSSF communities - Operational advantages of Alpha-Omega funding
- Dedicated security staffing
- Established communication channels
- Direct escalation pathways to critical platforms like GitHub
- Long-term resilience
- Continued investment in crate signing and secure publishing
- Stronger supply chain security posture across ecosystems
Why It Matters
This case shows that open source security is no longer ecosystem-specific. Attacks propagate across shared infrastructure, and defenses must do the same.
Alpha-Omega’s model demonstrates that funding + coordination + community = faster, more effective security outcomes.
Get Involved
- Watch the full talk: https://www.youtube.com/watch?v=i9nmzSiLkl0
- Learn more about the Rust Foundation: https://foundation.rust-lang.org
- Explore OpenSSF and Alpha-Omega
