The Rust crate onering v1.4.1 was discovered to be compromised with malicious code injected into its build script (build.rs). The malicious build script locates the consuming project's repository and runs git commands to harvest commit metadata and code diffs — effectively stealing your source code at build time. The stolen data is then disguised as a Sentry telemetry event and silently exfiltrated to an attacker controlled endpoint. Both the crates.io registry version and the maintainer's GitHub repository were affected, so developers pulling from either source were at risk.