A critical vulnerability named TARmageddon (CVE-2025-62518) was discovered in the async-tar Rust library and its forks, including tokio-tar, which is widely used in Python and web development ecosystems. The flaw, with a CVSS score of 8.1 (High), allows remote code execution via malicious nested TAR archives, enabling attackers to overwrite configuration files and hijack build backends. Astral’s uv package manager, testcontainers, and wasmCloud were among the affected projects. The vulnerability stems from a desynchronization flaw in TAR parsing, where mismatched PAX and ustar headers cause the parser to incorrectly merge hidden malicious payloads with legitimate files. This enables Python build backend hijacking, container image poisoning, and bypassing security scans. While patches were released for active forks (e.g., astral-tokio-tar), the original tokio-tar (5M+ downloads) remains unpatched, leaving downstream users exposed unless they migrate. The incident highlights risks from abandoned open-source projects and the need for proactive dependency management. Astral took over maintenance of astral-tokio-tar as the recommended fix, but unpatched systems remain vulnerable to supply-chain attacks, CI/CD compromises, and malicious package distribution.