crates.io

Malicious crates have been discovered on crates.io, with concerns about disposable accounts and attack vectors. Developers worry that blind dependency upgrades and sprawling dependency trees (especially with tokio) pose significant security risks that could be exploited by state actors.