A crate `vsdb` has more downloads than `rand` and `libc` in the last 90 days



So amazing!

It's due to spamming downloads. If you take a look at one of dependencies of this crate (fast-math) it has practically no downloads.


I hope that download spam doesn't become a major trend. When deciding which crate is better-known (e.g., bitvec is more popular than bit-vec, bv, bitm, bit-array, bitarray, ba, bit-set, or bitarray-set, and it includes the majority of the others' functionality), I tend to check both the last-modified date as well as the recent download count. Since the former is somewhat unreliable, the possibility of crates spoofing the latter will introduce much more uncertainty.


I think vsdb, btm, vsdbsled, vsdb_derive, and ruc are all spammed. The initial hit has also inflated downloads of over 60 other crates (e.g. ieee754, serde_cbor, half, jobserver, rio, and so on).

I don't know if it's malicious, or some really really bad script somewhere. I've opened an issue in the author's repository, but they've closed it without comment, and haven't changed their behavior.

I've pinged crates-io team about this. They've blocked a couple of worst-offending IP addresses, but as you can see there's still more.

I've offered implementing some anti-spam measure for downloads, but the crates-io team currently doesn't have enough resources to handle the extra complexity it would bring.


Did it get deleted? I can't find any issue by you at Issues · ccmlm/VSDB · GitHub


I filed a new bug, after 20K downloads last night.


Is this behaviour within the crates.io terms of service? It seems quite dishonest to artificially inflate your own download numbers and could be used to trick people into a supply chain attack.

Reddit has a similar issue where bots will farm karma to make an account look more valuable/influential than it is, then the owner sells the account to the highest bidder. Typically so the buyer can leverage their "reputation" to exploit real users via marketing/scams.


I think the fact that the crates.io team has blocked IPs already indicates that no, it's not permitted. Personally I think a crackdown is in order.


Why am I not surprised something "mainly used in the blockchain scene" would be behaving unethically?

I'd be on the watch for malware being inserted later on.


I would like to point out that both linked issues are now 404s, indicating that someone may be trying to hide something.


The crates.io team has been, and is continuing, to monitor this. We have evidence these downloads are artificial, and we're now excluding these crates from the lists on the homepage. We're blocking IP addresses as we catch them.

In the future, please contact the crates.io team about this rather than confronting users directly.

I don't think there's a need to extrapolate here; please stick to pointing out particular unethical acts by blockchain users/projects rather than making generalizations about groups of people. We don't do that here.


This is a bit unfair, I feel? Crypto, as a community, is rife with, and supportive of, what would anywhere else be considered straight up fraud. This is pretty well documented and understood at this point, for example pump and dump schemes are openly advertised, with responders assuming they are the pump, not the dump.

When my statement was basically that I'm unsurprised by a community that is extremely attractive to bad actors might have attracted bad actors, I'm unsure where the moral judgment is coming from.


Moderator note: The original issue has been resolved. If you want to talk about our moderation policy regarding cryptocurrency, email mods@rust-lang.org. If you want to talk about cryptocurrency itself, please don't hijack a thread about a specific incident to do that.