The chrono anchor crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service.

The malicious crate had 1 version published on 2026-03-04 approximately 6 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Thanks to Socket for reporting this crate. They have published a blog post about this recent campaign, and we advise users of timeapi.io to exercise caution when using crates to interact with that service.