- Researchers found two malicious Rust packages disguised as a popular library targeting crypto wallet keys.
- The compromised packages, named faster_log and async_println, had over 8,400 downloads before removal.
- These packages stole Solana and Ethereum private keys from source code and sent them to a command-and-control server.
- The crates copied legitimate code and documentation, making them appear trustworthy to developers.
- The Rust package registry has removed the malicious crates and preserved user logs for investigation.
Cybersecurity researchers identified two harmful Rust packages distributed on crates.io that imitated a well-known logging library to steal private crypto wallet keys. The crates, called faster_log and async_println, appeared to be legitimate software, but their true purpose was to collect Solana and Ethereum wallet keys from developers’ source code.
According to Socket, a software supply chain security firm, the attacker used the aliases rustguruman and dumbnbased and published the crates on May 25, 2025. Together, these packages reached 8,424 downloads before being taken down. Security researcher Kirill Boychenko said the crates worked as logging tools but secretly searched for wallet keys and sent any found to a hardcoded web address controlled by the attacker.
“The malicious code was executed at runtime, when running or testing a project depending on them,” explained Walter Pearce from Crates.io. He added, “Notably, they did not execute any malicious code at build time. Except for their malicious payload, these crates copied the source code, features, and documentation of legitimate crates, using a similar name to them.” After a responsible disclosure, crates.io removed the packages and disabled both user accounts.
Socket described the tactic as a supply chain attack using typosquatting—where names similar to real packages deceive users. The fake packages kept all normal logging functions but added code that searched files with the .rs extension for wallet keys and uploaded them to a server hosted at mainnet.solana-rpc-pool.workers[.]dev.
Attackers also duplicated the README file and linked to the real fast_log GitHub project, making the bogus packages harder to identify. The use of a domain similar to Solana’s real Mainnet beta RPC endpoint further increased the risk of confusion.
Crates.io reported that the malicious crates did not have any dependent packages and the related GitHub accounts remain active. According to Boychenko, “A functional logger with a familiar name, copied design, and README can pass casual review, while a small routine posts private wallet keys to a threat actor-controlled C2 endpoint. Unfortunately, that is enough to reach developer laptops and CI.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS Russia Startups Gain Access to Chinese Investment at Summit
- UAE’s M2 Capital Invests $20M in Ethena’s ENA Token Expansion
- Ethereum Whales Accumulate $862M: Is a Major Price Surge Ahead?
- Ohio Approves Crypto Payments for State Fees, Eyes Bitcoin Reserve
- Gate Launches Ethereum-Compatible Layer 2, Revamps GT Token
