Description
Is your feature request related to a problem? Please describe.
Supply chain attacks via password reuse or cookie theft are becoming increasingly commonplace. Currently crates.io lacks some basic mitigations that the other package registries have already rolled out.
Describe the solution you'd like
An email notification should be sent to all maintainers for every package they have publishing rights for. This informs the user in case of account compromise and gives them an opportunity to react. At present an account compromise would go completely undetected.
This is already standard practice for other registries - e.g. both RubyGems and NPM do this.
This is what a RubyGems notification looks like.
Describe alternatives you've considered
Sending login notifications alone (#4196) is not sufficient because they would only go to a single user. Notifying multiple people is necessary to protect from e.g. both inbox and crates.io compromise.
I have considered limiting the notification somehow to reduce noise, but there doesn't seem to be a reliable way to automatically distinguish between a legitimate upload and a malicious upload from a compromised account.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the ua-parser-js being the most widely used.
The attackers have flooded the maintainers' inboxes with spam to distract them from NPM email notifications, but it has merely delayed the discovery of the compromise. As of right now a similar compromise on crates.io would go completely undetected.
See also: #4195, #4196 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.