Sign in Subscribe

Two Malicious Packages Found in Rust Crates.io Repository

Two Malicious Packages Found in Rust Crates.io Repository

Two malicious packages with a combined total of roughly 8,500 downloads have been discovered in the official Rust repository. The malware scanned developers’ systems to steal private cryptocurrency keys and other sensitive data.

Discovery and Impact

Rust packages, known as crates, are distributed through Crates.io—the equivalent of npm for JavaScript, PyPI for Python, and RubyGems for Ruby.

Researchers from Socket reported that the malicious crates, faster_log and async_println, were published on May 25, 2025. They were downloaded approximately 7,200 and 1,200 times, respectively. Both crates have since been removed, and the accounts that published them—rustguruman and dumbnbased—were blocked on September 24.

Masquerading as Legitimate Packages

The attackers disguised the crates to resemble the legitimate fast_log package by copying its README file, repository metadata, and maintaining logging functionality to avoid suspicion. Behind the scenes, however, they misused the log packaging feature to search for sensitive information.

Payload Behavior

During runtime, the malicious code scanned the victim’s environment and project source files for:

  • Hexadecimal strings resembling Ethereum private keys
  • Base58 strings resembling Solana keys or addresses
  • Byte arrays in brackets, potentially containing keys or seed phrases

If matches were found, the malware packaged them along with the file path and line number, then exfiltrated the data to a hardcoded Cloudflare Worker endpoint:
mainnet[.]solana-rpc-pool[.]workers[.]dev

This endpoint was active and accepting POST requests at the time of investigation, though it was not an official Solana RPC service.

Mitigation and Response

According to Crates.io maintainers, the malicious packages had no downstream dependencies, and the blocked users had not uploaded any other projects. Still, developers who installed these crates are advised to:

  • Clean their systems
  • Transfer digital assets to new wallets to prevent theft

Researchers further urge developers to verify a publisher’s reputation before installing a crate and to review build instructions carefully to avoid automatically fetching malicious packages.

Read next