Supply Chain Attack: Malicious Rust Crates Steal Solana and Ethereum Private Keys

Socket’s Threat Research Team has uncovered a supply chain attack involving two malicious Rust crates—faster_log and async_println—that impersonated the legitimate fast_log library. Together, the impostor packages were downloaded more than 8,400 times before being removed from the Rust package registry.

The threat actor, operating under the aliases rustguruman and dumbnbased, published the crates on May 25, 2025. Both included working logging code to avoid suspicion but secretly embedded routines to scan Rust projects for cryptocurrency wallet secrets.

According to Socket, “the crates include working logging code for cover and embed routines that scan source files for Solana and Ethereum private keys, then exfiltrate matches via HTTP POST to a hardcoded command and control (C2) endpoint (https://mainnet[.]solana-rpc-pool[.]workers[.]dev/).”

The malicious logic searched for:

• Ethereum private keys (strings beginning with 0x followed by 64 hex characters)
• Solana Base58 addresses and keys (32–44 character tokens)
• Bracketed byte arrays that may contain raw key material

Once detected, the data—including the file path and line number—was packaged and sent to the attacker-controlled endpoint.

The crates were carefully designed to mislead developers. “The crate typosquats the legitimate fast_log, reuses its README and repository link, and impersonates the project to mislead developers.”

Even the command-and-control server name was crafted to blend in: “The C2 endpoint host address is styled to resemble a blockchain RPC service (https://mainnet[.]solana-rpc-pool[.]workers[.]dev), which helps it blend with normal developer traffic.”

Following Socket’s disclosure, the Crates.io security team acted swiftly. The report notes, “Within an hour, we received a response… Shortly thereafter, the Crates security team preserved all faster_log and async_println files for analysis while removing the listings… locked the dumbnbased and rustguruman accounts… and published an official security advisory detailing their actions and investigation.”

The malicious Rust crates incident is yet another reminder that the software supply chain remains one of the most attractive vectors for attackers—and that vigilance at the package management level is critical to protecting developers and downstream users alike.

Related Posts:

• High-Severity Flaw Exposes ASUS Armoury Crate to Authentication Bypass
• Critical Flaw in ASUS Armoury Crate Exposed
• Rust Lands in Windows 11 Kernel: A New Era for OS Security?
• Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
• Malicious npm Packages Target Solana Developers, Stealing Private Keys via Gmail