Cybercriminals have launched a sophisticated supply chain attack targeting cryptocurrency developers through malicious Rust crates designed to steal digital wallet keys.<\/p>\n
Two fraudulent packages, faster_log and async_println, have infiltrated the Rust package registry by impersonating the legitimate fast_log logging library, embedding malicious code that scans source files for Solana and Ethereum private keys before exfiltrating them to attacker-controlled servers.<\/p>\n
The malicious crates were published on May 25, 2025, under the aliases rustguruman and dumbnbased, accumulating 8,424 combined downloads before their discovery.<\/p>\n
These packages maintained functional logging capabilities to evade detection while secretly harvesting cryptocurrency credentials from developers\u2019 source code and project files.<\/p>\n
The attackers employed typosquatting techniques, copying the original fast_log\u2019s README documentation and repository metadata to create convincing imposters that could pass casual review processes.<\/p>\n
Socket.dev analysts identified<\/a> the malicious packages during routine threat monitoring, discovering their sophisticated credential theft mechanisms.<\/p>\n The researchers found that both crates implemented identical exfiltration workflows, scanning for three specific patterns: Ethereum private keys formatted as 64-character hexadecimal strings with 0x prefixes, Base58-encoded Solana addresses and keys ranging from 32 to 44 characters, and bracketed byte arrays that could contain encoded key material.<\/p>\n Upon detection of any matching patterns, the malware<\/a> immediately transmits the stolen credentials to a hardcoded command and control endpoint hosted at mainnet.solana-rpc-pool.workers.dev, cleverly disguised to resemble legitimate Solana RPC infrastructure.<\/p>\n The attack vector exploits developer trust in package repositories, demonstrating how minimal code modifications can create significant security risks.<\/p>\n The threat actors maintained the original logging functionality while embedding their credential harvesting routines, ensuring the packages would function as expected during initial testing and integration phases.<\/p>\n This approach allowed the malicious code to operate undetected within development environments and continuous integration pipelines.<\/p>\n The malware\u2019s core functionality revolves around a sophisticated scanning engine implemented in Rust that recursively processes project directories.<\/p>\n The malicious code utilizes regular expressions to identify cryptocurrency-related secrets embedded in source files, focusing specifically on patterns commonly used by blockchain developers.<\/p>\n The implementation employs three targeted regular expressions for pattern matching. The first targets Ethereum<\/a> private keys using the pattern The second regex The third pattern captures bracketed byte arrays in formats like When the scanning function identifies matching patterns, it constructs detailed forensic records that include the exact file path, line number, matched value, and pattern type.<\/p>\n This precise location tracking suggests the attackers may have intended to conduct follow-up operations or provide detailed intelligence to buyers of the stolen credentials.<\/p>\n The malware batches multiple discoveries into JSON payloads before transmitting them via HTTP POST requests to the attacker\u2019s command and control infrastructure, utilizing standard HTTPS encryption to blend with legitimate network traffic.<\/p>\n The exfiltration mechanism operates through a Rust reqwest client that sends structured data to the Cloudflare<\/a> Workers-hosted endpoint.<\/p>\n This hosting choice provides the attackers with anonymity, scalability, and the ability to rapidly modify their collection infrastructure without maintaining dedicated servers.<\/p>\n The malicious crates process files at application runtime rather than during compilation, ensuring the scanning occurs within developers\u2019 active working environments where cryptocurrency credentials are most likely to be present and accessible.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Malicious Rust Crates Impersonating fast_log to Steal Solana and Ethereum Wallet Keys<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjTt67s56ioXCYzu7GKWL2oTOIRGN0VWW2hZLcFtUDW41XOLJmuAyo1YgZAPQNox_f0gmsZAcO7Uwi-CtmXITk4rmUflj7y6c8ceOfnebNcwQ5q6994BHlvadkS_vU1OXBLJTIp4SZHC7m3RIdQnYXlQ-HSfcMZ17anXJZ79eu8KAbxxwWGgIK5OwL4cvQ\/s16000\/Center%2520shows%2520the%2520legitimate%2520fast_log%2C%2520while%2520left%2520%28faster_log%29%2520and%2520right%2520%28async_println%29%2520are%2520malicious%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
Technical Implementation and Exfiltration Mechanism<\/strong><\/h2>\n
const HARDCODED_ENDPOINT: &str = \"https:\/\/mainnet.solana-rpc-pool.workers.dev\/\";\n\npub struct FoundItem {\n pub item_type: String,\n pub value: String,\n pub file_path: String,\n pub line_number: usize,\n}<\/code><\/pre>\n\"0x[0-9a-fA-F]{64}\"<\/code> to capture 64-character hexadecimal strings prefixed with 0x, which represent standard Ethereum private key formats.<\/p>\n\"[1-9A-HJ-NP-Za-km-z]{32,44}\"<\/code> identifies Base58-encoded strings typical of Solana addresses and public keys, with length constraints matching Solana\u2019s cryptographic specifications.<\/p>\n[0x12, 0xAB, ...]<\/code> or [1,2,...]<\/code> that could contain raw key bytes or embedded seed phrases.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTq3FM82QxbjG1zHbOIFg9tmWqEuMffLTTFI9NxWws6qYkC4GvjlkP6ltsRXBSUN1fSagnHvUfgo9aqwACPuck8Le2VouVLDK-s6oWiBAtDBfgZKt8_s08TXudaAuAIu2hmHu_sY_hbV-6gGz5Xou9Qw86I60vhuRAQwTcpedWupMqRdsQxU-iNnBsVoM\/s16000\/Crates.io%2520search%2520for%2520fast_log%2520showed%2520the%2520legitimate%2520fast_log%2520alongside%2520two%2520imposters%2C%2520faster_log%2520and%2520async_println%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")