time_calibrator
time_calibrator is a malicious Rust crate published to crates.io that masqueraded as a time-related utility and was identified by Socket as one of five related malicious packages, alongside chrono_anchor, dnp3times, time_calibrators, and time-sync. The crates impersonated the legitimate service timeapi.io and used the lookalike domain timeapis[.]io for exfiltration. Its core behavior was credential and secret theft rather than legitimate time calibration functionality: the package attempted to collect sensitive data from developer environments, especially .env files, and exfiltrate the contents to threat actor-controlled infrastructure. The activity was assessed as likely conducted by a single threat actor based on shared infrastructure and exfiltration methodology across the crate set. The package was advertised as calibrating local time without relying on NTP, but the reported behavior indicates straightforward .env exfiltration. The malware did not establish persistence via services or scheduled tasks, but attempted repeated exfiltration whenever the malicious code was invoked in developer workstations or CI workflows, creating software supply-chain risk. Stolen .env contents could include API keys, tokens, and other secrets, potentially enabling downstream compromise of cloud services, databases, GitHub, and registry accounts. The crate was removed from crates.io. It was also observed as a dependency in the GitHub repository aestik6/Polymarket-crypto-5min-arbitrage-bot, which was referenced in reporting on the broader Contagious Trader cryptocurrency-themed malware campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
aestik6/Polymarket-crypto-5min-arbitrage-bot ... depends on time_calibrator , one of several malicious infostealer crates disclosed by Kirill Boychenko of Socket
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
five malicious Rust crates silently exfiltrated .env secrets from CI pipelines... The subsequent injection of malicious code into Trivy VS Code extension versions 1.8.12 and 1.8.13 from Open VSX escalated impact significantly, converting the widely deployed security tool into an active exfiltration agent.
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Credential Access
2 techniques
Credential Access
Collection
1 technique
Collection
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malicious infostealer crate used in a Rust-based strain of the Contagious Trader campaign.
A malicious Rust crate on crates.io posing as a time calibration utility; exfiltrates .env secrets from developer environments/CI to attacker-controlled infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.