A software supply chain attack targeting the Rust programming language ecosystem has been uncovered, involving malicious packages published on the official crates.io registry that specifically targeted cryptocurrency private keys1. The packages, identified as `faster_log` and `async_println`, employed typosquatting techniques to impersonate the legitimate `fast_log` logging library and accumulated nearly 8,500 downloads before being discovered and removed by the crates.io security team in September 20252. This incident highlights ongoing security challenges in open-source software repositories where community vigilance remains the primary defense mechanism against malicious actors.
The attack methodology followed a sophisticated approach where the malicious crates contained fully functional logging code to avoid detection during casual review, while hiding a separate module designed to scan developers’ systems5. When executed, the hidden code would recursively search through all `.rs` files in the project directory, specifically targeting patterns matching Solana and Ethereum private keys. The packages were published on May 25, 2025, by threat actors using the aliases `rustguruman` and `dumbnbased`, and remained available for approximately four months before being detected1.
Attack Vector and Technical Implementation
The malicious packages employed a classic typosquatting strategy, using names visually similar to the popular `fast_log` library which has approximately 295,000 downloads5. To enhance their credibility, the threat actors copied the original library’s README file and repository links, making the packages appear authentic to developers who might accidentally mistype the dependency name. The hidden malicious functionality was contained within a module named `packer.rs` that executed at runtime when projects depending on these crates were compiled or tested2.
The scanning functionality targeted specific cryptographic patterns within source code files. For Ethereum keys, the code searched for quoted strings starting with “0x” followed by 64 hexadecimal characters. Solana keys were identified by searching for Base58-encoded strings between 32 and 44 characters long. Additionally, the scanner looked for bracketed byte arrays that could represent raw key material5. For each match found, the malicious code captured the key value, its type, the source file path, and the line number where it was located, creating a comprehensive inventory of exposed credentials.
Data Exfiltration and Command Infrastructure
The stolen data was packaged into JSON format and transmitted via HTTP POST requests to a hardcoded command-and-control server designed to mimic legitimate infrastructure4. The C2 server used the domain `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`, which was intentionally similar to the legitimate Solana RPC endpoint `api.mainnet-beta.solana[.]com` to blend in with normal network traffic from cryptocurrency applications. This technique demonstrates an evolution in attacker methodology, where malicious network communications are disguised as legitimate application traffic to avoid detection by network monitoring tools.
According to analysis by Socket’s Threat Research Team, which identified and reported the threat, the packages had accumulated 7,181 downloads for `faster_log` and 1,243 for `async_println` before removal5. The crates.io security team confirmed that the malicious packages had no downstream dependencies, meaning no other published crates relied on them, which limited the potential impact of the attack. This containment likely prevented a broader supply chain compromise that could have affected numerous projects throughout the Rust ecosystem.
Registry Policies and Response Mechanisms
The incident occurred within the context of crates.io’s established usage policy, which explicitly states that packages can be removed if they are “abusing the package index for purposes it was not intended”10. The policy framework relies on a reactive moderation model, with a key clause stating that the registry “will not be proactively monitoring the site for these kinds of violations, but instead relying on the community to draw them to our attention.” This approach places the initial detection burden on community members and security researchers rather than registry maintainers.
Upon disclosure by Socket, the crates.io security team coordinated with the Rust Security Response Working Group and the Rust Foundation to implement mitigation measures8. The response included preserving the malicious crate files for analysis, removing the package listings from the registry to prevent further downloads, locking the threat actor accounts, and publishing an official security advisory. The prompt remediation action demonstrates the effectiveness of established response procedures when malicious packages are identified through external reporting.
Broader Context and Historical Precedents
This incident follows a pattern of increasing software supply chain attacks targeting open-source repositories. In 2023, security firm Phylum identified a campaign where attackers initially published benign packages on crates.io before updating them with malware designed to beacon system information to a Telegram channel7. The 2025 campaign shows a more mature approach with specifically targeted objectives focused on high-value cryptocurrency assets. This evolution suggests threat actors are conducting more sophisticated reconnaissance and developing specialized payloads for maximum impact.
Analysis by Trail of Bits indicates that software supply chain attacks are evolving from simple typosquatting to more complex methods including compromised publisher accounts and build pipelines6. The discovery of a related crates.io user account named `crypto-keys-unlocked` that published cryptography-related crates and shared an identical avatar with the `rustguruman` account suggests the threat actor may have been establishing a portfolio of seemingly legitimate utilities for future attacks10. This long-term strategy indicates planning for more sophisticated campaigns that could leverage established credibility within the ecosystem.
Detection and Mitigation Recommendations
Organizations and developers should immediately scan projects and CI/CD pipelines for dependencies on the identified malicious packages and remove them if found. Any private keys, seeds, or other credentials stored in source code, particularly for Solana or Ethereum projects, should be rotated immediately given the risk of exposure2. Implementing secret scanning tools to detect accidentally committed credentials before they reach production repositories represents a fundamental defensive measure against this type of attack.
Network security controls should restrict outbound traffic from development and build environments, allowing connections only to trusted endpoints. Supply chain security tools that can detect suspicious package behaviors, including typosquatting detection, network access patterns, and shell command execution, provide an additional layer of defense5. Supporting ecosystem improvements such as cryptographic verification of package origins and build processes, similar to PyPI’s “trusted publishing” features, can help establish stronger guarantees of package integrity6.
The Rust ecosystem’s reliance on community reporting for malicious package detection highlights the importance of security researcher participation in open-source ecosystems. While reactive measures successfully contained this incident, the four-month window during which the malicious packages remained available underscores the challenges of detecting sophisticated supply chain attacks. Future security improvements may need to balance the open nature of package repositories with more proactive detection capabilities to reduce the time between malicious package publication and identification.
| Indicator Type | Value |
|---|---|
| Malicious Crate Names | faster_log, async_println |
| Publisher Accounts | dumbnbased, rustguruman |
| C2 Server | https://mainnet[.]solana-rpc-pool[.]workers[.]dev/ |
| Related GitHub Accounts | github[.]com/dumbnbased, github[.]com/rustguruman |
| Associated Account | crypto-keys-unlocked (identical avatar to rustguruman) |
The discovery of these malicious packages reinforces the need for comprehensive software supply chain security practices across development lifecycles. While the immediate threat has been neutralized through package removal, the techniques demonstrated in this attack will likely be adopted by other threat actors targeting open-source ecosystems. Continuous monitoring of dependencies, implementation of security tooling, and adherence to principle of least privilege in development environments remain essential defensive measures against evolving supply chain threats.
References
- “Malicious Rust Packages on Crates.io Steal Crypto Wallet Keys,” The Hacker News, Sep. 2025.
- “Malicious Rust Packages on Crates.io Steal Cryptocurrency Keys,” GBHackers, Sep. 2025.
- “Rust Crates Used in Crypto Wallet Key Theft Campaign,” Cyberpress, Sep. 2025.
- “Analysis of Malicious Rust Crates Targeting Cryptocurrency Keys,” Socket.dev Blog, Sep. 2025.
- “Software Supply Chain Threat Evolution,” Trail of Bits Blog, Sep. 2025.
- “Rust Crates Campaign Using Telegram for C2 Communications,” Phylum Blog, 2023.
- “Crates.io Security Advisory: Malicious Packages Removed,” Rust Blog, Sep. 2025.
- “crates.io Usage Policy,” crates.io, accessed Sep. 2025.
