Ethical Hacking News
In a shocking discovery, two malicious Rust packages on Crates.io have been found to steal cryptocurrency private keys and sensitive information from unsuspecting developers. The attack highlights the need for vigilance when it comes to open-source security and the importance of verifying package publishers before downloading their crates.
Two malicious Rust packages, faster_log and async_println, were found on Crates.io, which stole cryptocurrency private keys and sensitive information from unsuspecting developers. The attackers impersonated the legitimate 'fast_log' crate to blend in with the rest of the ecosystem and steal users' sensitive data. The malicious packages scanned for specific types of data, including Ethereum and Solana keys, and exfiltrated them to a hardcoded Cloudflare Worker URL address. Developers who downloaded these crates need to take immediate action to prevent theft and should be vigilant in their pursuit of open-source security.
In a recent revelation that sheds light on the dark corners of the open-source world, two malicious Rust packages on Crates.io, the equivalent of npm for JavaScript, PyPI for Python, and Ruby Gems for Ruby, have been identified as stealing cryptocurrency private keys and other sensitive information from unsuspecting developers. The attack is attributed to a sophisticated campaign where researchers at code security company Socket discovered the malicious crates, named faster_log and async_println, and reported them to Crate.io.
The malicious packages were published on the platform on May 25th and had garnered nearly 8,500 downloads between the two of them. Researchers at Socket explain in a report that the attackers impersonated the legitimate ‘fast_log’ crate, copying its README file, repository metadata, and retaining the real project’s logging functionality to reduce suspicion. This tactic allowed the malicious packages to blend in seamlessly with the rest of the Crates.io ecosystem.
The attackers exploited the log file packing functionality to scan for sensitive information. A payload hidden in the malicious crates executed at runtime to scan the victim's environment and project source files for specific types of data, including hex strings that resemble Ethereum private keys, base58 strings that resemble Solana keys/addresses, and bracketed byte arrays that might hide keys or seeds.
When the code found matches, it bundled the data with the file path and line number and exfiltrated the data to a hardcoded Cloudflare Worker URL address (mainnet[.]solana-rpc-pool[.]workers[.]dev). Socket confirmed that this endpoint was live and accepting POST requests during its tests, noting that the host is not an official Solana RPC endpoint.
The malicious crates appeared in search results for the legitimate project, which added to the confusion and allowed the attackers to spread their malware further. The fact that the two banned publishers had submitted no other projects, making them "empty-handed" in terms of downstream impact, was noted by Crate.io. However, developers who have downloaded either crate need to take immediate action to prevent theft.
This attack highlights the importance of verifying the publisher's reputation and double-checking building instructions before downloading a Rust crate. Developers should also be aware that even seemingly secure packages can contain hidden vulnerabilities. The revelation serves as a reminder to be vigilant in our pursuit of open-source security.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Rust-Packages-on-Cratesio-Steal-Crypto-Wallet-Keys-Leaving-Developers-Vulnerable-to-Theft-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-cratesio-steal-crypto-wallet-keys/
https://thehackernews.com/2025/09/malicious-rust-crates-steal-solana-and.html
Published: Thu Sep 25 11:11:29 2025 by llama3.2 3B Q4_K_M
