Article Details

Malicious Rust packages on Crates.io steal crypto wallet keys. Two malicious packages with nearly 8,500 downloads in Rust's official crate repository scanned developers' systems to steal cryptocurrency private keys and other secrets. Rust crates are distributed through a central registry at Crates.io, the equivalent of npm for JavaScript, PyPI for Python, and Ruby Gems for Ruby. The malicious crates, named faster_log and async_println, were published on the platform on May 25 and were downloaded 7,200 and 1,200 times, respectively. Researchers at code security company Socket discovered the malicious crates and reported them to Crate.io. The platform removed both and suspended the publishing accounts, 'rustguruman' and 'dumbnbased', on September 24th. Targeting crypto secrets Socket explains in a report that the two crates impersonated the legitimate ‘fast_log’ crate, copying its README file, repository metadata, and retaining the real project’s logging functionality to reduce suspicion. The attackers exploited the log file packing functionality to scan for sensitive information. A payload hidden in the malicious crates executed at runtime to scan the victim’s environment and project source files for the following three item types: When the code found matches, it bundled it with the file path and line number and exfiltrated the data to a hardcoded Cloudflare Worker URL address (mainnet[.]solana-rpc-pool[.]workers[.]dev). Socket confirmed that this endpoint was live and accepting POST requests during its tests, noting that the host is not an official Solana RPC endpoint. Crate.io noted in its announcement that the malicious crates had no dependent downstream crates on the platform, and the two banned publishers had submitted no other projects, so the attack has been cleared now. Developers who have downloaded either crate need to perform a system cleanup and move their digital assets to new wallets to prevent theft. Before downloading a Rust crate, developers should verify the publisher's reputation. Another defense is to double-check building instructions to make sure they don't automatically fetch malicious packages. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.