Cybersecurity researchers have recently uncovered two malicious Rust crates designed to impersonate a legitimate library known as fast_log, with the objective of stealing private keys from Solana and Ethereum wallets. The deceptive packages, identified as faster_log and async_println, were uploaded by a threat actor using the pseudonyms rustguruman and dumbnbased on May 25, 2025. In total, these malicious crates accumulated 8,424 downloads, raising significant concerns about software supply chain vulnerabilities.
According to security researcher Kirill Boychenko, these crates included legitimate logging functionality to obfuscate their true intentions. The malicious code operates by scanning source files for private keys associated with Solana and Ethereum wallets. When such keys are detected, the code then exfiltrates them via an HTTP POST request to a hardcoded command and control (C2) endpoint.
In response to this discovery and following a responsible disclosure approach, the maintainers of crates.io took immediate action. They removed the compromised Rust packages and disabled both associated accounts, while also preserving logs for further analysis.
Walter Pearce from crates.io noted that the malicious code only executed at runtime when a project utilizing these crates was run or tested. It is important to highlight that no harmful code was triggered during the build process, which may have allowed the rogue packages to evade casual scrutiny. Apart from their harmful payload, these crates largely mirrored the source code, features, and documentation of the authentic fast_log library, featuring names that were strikingly similar.
This incident exemplifies a typosquatting attack, as detailed by Socket, where the threat actors retained the logging capability of the legitimate library while embedding malicious alterations. During a log packing procedure, the malicious code recursively searched through Rust files (*.rs) in a directory for Ethereum and Solana private keys as well as bracketed byte arrays and exfiltrated these findings to a domain managed by Cloudflare Workers (“mainnet.solana-rpc-pool.workers[.]dev”).
Further analysis reveals that the attackers not only copied the README of fast_log but also set the repository information for the bogus crates to reflect the real GitHub project. Additionally, the domain name used attempts to imitate Solana’s authentic Mainnet beta RPC endpoint (“api.mainnet-beta.solana[.]com”), reinforcing the deceptive nature of this attack.
Crates.io confirmed that the two malicious crates had no dependent downstream packages, and the users did not publish any other crates on the Rust package registry. As of the latest updates, the GitHub accounts tied to the crates.io publisher accounts remained active. The account belonging to dumbnbased was established on May 27, 2023, while that of rustguruman emerged just a couple of days prior to the crate uploads.
Boychenko emphasized the implications of this campaign, stating, “This campaign shows how minimal code and simple deception can create a supply chain risk.” The combination of a functional logger, a familiar name, and a replicated design creates a façade that can easily pass a casual review. However, even a small routine capable of posting private wallet keys to a threat actor-controlled C2 endpoint can have severe repercussions, particularly affecting developer laptops and continuous integration systems.
