Cargo · crates.io
halfin
Rs Build Time Command Combo: Process spawn (std::process::Command) paired with network / base64 / env-token read at build time.
Why PkgRadar flagged 0.3.8
| Severity | Signal | Evidence |
|---|---|---|
| high | Rs Build Time Command Combo | Process spawn (std::process::Command) paired with network / base64 / env-token read at build time. · halfin-0.3.8/build.rs |
| high | Rs Build Time Env Token Read | Reads CI/CD secret env vars (AWS / GitHub / GitLab / Cargo / NPM tokens) at build time. · halfin-0.3.8/build.rs |
| medium | Remote Payload | matched "github.com/utreexo/utreexod/releases/download" · halfin-0.3.8/build.rs |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.4.0 | Review | 35 | 2026-06-16 |
0.3.8 | High risk | 112 | 2026-06-02 |
0.3.7 | High risk | 112 | 2026-05-30 |
Related campaigns
- rs_build_time_env_token_read:reads ci/cd secret env vars (aws / github / gitlab / cargo / npm tokens) at build time. — 18 releases, max score 180
Block this in CI
pkgradar gate --ecosystem cargo [email protected]