[nextaccountic]

> The rest I recognize as being owned by a Rust maintainer like alexcrichton

The issue here isn't Alex Crichton going rogue, but rather, some malware stealing his credentials to use them to publish more malware in crates.io

In this sense, the more well known and upstanding Rust developer, the higher the risk they will be targeted by such operations

[b40d-48b2-979e]

With crates.io using GH as its IdP, I think there would be much farther reaching consequences to account pwning in that scenario. I agree, though, that the security model for crates.io is only as strong as the weakest link there, and would pray someone like Alex is using physical tokens or the like for his MFA and can't be conned by a well-crafted email.