In a recent cybersecurity development, researchers have identified two malicious Rust crates—faster_log and async_println—designed to steal private keys from Solana and Ethereum wallets. These crates, masquerading as the legitimate fast_log library, were uploaded to the Rust package registry, crates.io, by individuals using the aliases rustguruman and dumbnbased on May 25, 2025. Collectively, they have been downloaded 8,424 times, as reported by software supply chain security firm Socket.
The malicious crates functioned as fully operational logging tools, effectively concealing their true intent. Embedded within their code were routines that scanned source files for Solana and Ethereum private keys. Upon detection, these keys were exfiltrated via HTTP POST requests to a hardcoded command-and-control (C2) server. Security researcher Kirill Boychenko highlighted this method, emphasizing the stealthy nature of the attack.
Upon responsible disclosure, the maintainers of crates.io promptly removed the compromised packages and disabled the associated accounts. They also preserved logs related to the malicious crates and the threat actors for further analysis. Walter Pearce from crates.io noted that the malicious code was executed during runtime, specifically when projects depending on these crates were run or tested. Notably, no malicious code was executed during the build process. Apart from their harmful payloads, these crates replicated the source code, features, and documentation of legitimate libraries, adopting similar names to deceive users.
This attack is a classic example of typosquatting, where malicious actors create packages with names resembling popular libraries to trick developers into downloading them. In this instance, the attackers retained the logging functionality of the genuine fast_log library but introduced malicious code during the log packing process. This code recursively searched Rust files (.rs) within a directory for Ethereum and Solana private keys and bracketed byte arrays, subsequently exfiltrating them to a Cloudflare Workers domain (mainnet.solana-rpc-pool.workers[.]dev).
Further deception was evident as the attackers copied the README file of fast_log and set the repository field of the malicious crates to point to the legitimate GitHub project. The use of the domain mainnet.solana-rpc-pool.workers[.]dev was a deliberate attempt to mimic Solana’s Mainnet beta RPC endpoint api.mainnet-beta.solana[.]com.
According to crates.io, the two malicious crates did not have any dependent downstream crates, nor did the users publish other crates on the Rust package registry. The GitHub accounts linked to the crates.io publisher accounts remain accessible as of this writing. The account dumbnbased was created on May 27, 2023, while rustguruman was established on May 25, 2025.
This incident underscores the significant risks posed by minimal code alterations and simple deception tactics in the software supply chain. A functional logger with a familiar name, copied design, and README can easily pass casual reviews, while a small routine can exfiltrate private wallet keys to a threat actor-controlled C2 endpoint. Such tactics are sufficient to compromise developer laptops and continuous integration (CI) systems.
