Firefox thinks every crate on Crates.io is infected?! False positive, I bet?

Deas · June 30, 2026, 2:51am

If I download what seems like any crate, for instance https://static.crates.io/crates/serde/serde-1.0.228.crate which I think is a pretty widely used crate, Firefox (140.12.0esr, Debian 13) says "This file contains a virus or malware." It seems 100% sure about it, it doesn't include any softening wording or anything.

Chrome allows the same downloads with no objection.

Firefox used to allow them until a couple days ago.

Is Crates compromised, or is Firefox broken?

I already vibe coded one entire replacement crate because of this; I figured it was a virus.

VirusTotal thinks it is clean: VirusTotal

But now I think it might be a browser bug, because it says EVERY crate is a virus. What's going on?

Assuming it's bogus, maybe someone knows how to report it to Mozilla?

jonh · June 30, 2026, 8:13am

Firefox (140.12.0esr, Debian 13) not having any such issue.

nerditation · June 30, 2026, 8:25am

I'm using firefox flatpak 152.0.1 and don't see such reports. could it be a debian package thing?

jer · June 30, 2026, 8:42am

In general: file a bug at https://bugzilla.mozilla.org/

That certainly is a bit weird. While there are occasionally some false positives in this detection, it certainly should not happen like that consistently for legitimate source.
I'd suggest to report it as a bug.

bjorn3 · June 30, 2026, 11:22am

I don't have any problems with the Debian packaged Firefox ESR either.

Topic		Replies	Views
Possible Malware found in some crates help	5	1104	April 6, 2024
Crates.io seems to be down	4	1054	November 8, 2016
Trojan:Win32/Bearfoos.A!ml community	7	2411	January 9, 2026
Executed cargo build via pycharm rust plugin - Bitdefender detected a threat	2	534	February 14, 2021
Ensuring safety considerations for Rust Crates from the Official Website help	2	503	October 30, 2023

Firefox thinks every crate on Crates.io is infected?! False positive, I bet?

Related topics