Cybersecurity researchers have discovered two malicious rusty crates that are impersonating a legal library called fast_log to steal Solana and Ethereum wallet keys from the source code.
The crates named Faster_log and async_println were published by threat actors under the alias Rustguruman, according to software supply chain security company Socket, and accumulated a total of 8,424 downloads.
“The crate contains behavior logging code for covers and embedded routines that scan source files for Solana and Ethereum private keys, matching them against hard-coded commands and controls (C2) endpoints via HTTP posts.
Following responsible disclosure, crates.io maintainers took steps to remove the rust package and disable the two accounts. Additionally, for further analysis, it maintains logs of users operated by threat actors along with malicious wooden boxes.
“Malicious code was run at runtime when running or testing a project depending on the project,” says Walter Pearce of Crates.io. “In particular, they didn’t execute malicious code at build time. With the exception of malicious payloads, these crates used similar names to copy the source code, features and documentation of the legitimate crate.”
As detailed in Sockets, type-scutting attacks involve threat actors who retain the logging capabilities of the actual library, introduce malicious code changes during logpacking operations recursively searched in Ethereum and Solana Private Key Directories (*.RS), introduce byte arrays of brackets and byte arrays of brackets, and are illuminated by the area of the Cloud Full Rare Hour Cardmen.[.]dev “).
In addition to copying the readme in fast_log and setting the repository field in bogus crates to the actual github project, as well as using “mainnet.solana-rpc-pool.workers”[.]Dev “is an attempt to mimic Solana’s Mainnet Beta RPC Endpoint” api.mainnet-beta.solana.[.]com. “
According to Crates.io, the two wooden frames did not have the downstream box that they depend on. Additionally, users did not publish other wooden frames in the Rust package registry. Github accounts linked to the crates.io publisher account remain accessible at the time of writing. The Github account was created on May 27, 2023, but Rustguruman was not present until May 25, 2025.
“This campaign shows how minimal code and simple deceptions create supply chain risk,” Boychenko said. “The functional logger with familiar names, copied designs and READMEs can pass on casual reviews, but the small routine posts private wallet keys to the threatening actor-controlled C2 endpoint. Unfortunately, it’s enough to reach the developer’s laptop and CI.”
Source link
