Cybersecurity researchers have discovered two malicious crates in Rust that impersonate a legitimate library called fast_log, in order to steal Solana and Ethereum wallet keys from the source code. The crates, named faster_log and async_println, were published by a threat actor under the pseudonyms rustguruman and dumbnbased on May 25, 2025, achieving a total of 8,424 downloads, according to the software supply chain security company, Socket.
Make sure you know what you are downloading
These fraudulent crates include functional registration code as a cover and contain routines that scan source files for private keys of Solana and Ethereum. Once identified, they exfiltrate the matches through an HTTP POST request to a hardcoded command and control (C2) endpoint, according to security researcher Kirill Boychenko.
Following the responsible disclosure of the finding, the maintainers of crates.io have taken steps to remove the Rust packages and disable the two involved accounts. In addition, they have preserved the records of the users operated by the threat actor along with the malicious crates for further analysis. “The malicious code was executed at runtime, when running or testing a project that depended on them,” commented Walter Pearce from crates.io.
In a typosquatting attack, the actors maintained the original library’s registration functionality while introducing malicious changes during a packaging operation, which recursively searched for Rust files in a directory to find private keys. This attack is a clear reminder of how minimal code and a simple deception can create a significant risk in the supply chain, allowing malicious code to reach developers’ computers and continuous integration systems.
