Cybercriminals have launched a sophisticated supply chain attack targeting cryptocurrency developers through malicious Rust crates designed to steal digital wallet keys.
Two fraudulent packages, faster_log and async_println, have infiltrated the Rust package registry by impersonating the legitimate fast_log logging library, embedding malicious code that scans source files for Solana and Ethereum private keys before exfiltrating them to attacker-controlled servers.
The malicious crates were published on May 25, 2025, under the aliases rustguruman and dumbnbased, accumulating 8,424 combined downloads before their discovery.
These packages maintained functional logging capabilities to evade detection while secretly harvesting cryptocurrency credentials from developers’ source code and project files.
The attackers employed typosquatting techniques, copying the original fast_log’s README documentation and repository metadata to create convincing imposters that could pass casual review processes.
Socket.dev analysts identified the malicious packages during routine threat monitoring, discovering their sophisticated credential theft mechanisms.
The researchers found that both crates implemented identical exfiltration workflows, scanning for three specific patterns: Ethereum private keys formatted as 64-character hexadecimal strings with 0x prefixes, Base58-encoded Solana addresses and keys ranging from 32 to 44 characters, and bracketed byte arrays that could contain encoded key material.
%20and%20right%20(async_println)%20are%20malicious%20(Source%20-%20Socket.dev).webp "New Malicious Rust Crates Impersonating fast_log to Steal Solana and Ethereum Wallet Keys 3")
Upon detection of any matching patterns, the malware immediately transmits the stolen credentials to a hardcoded command and control endpoint hosted at mainnet.solana-rpc-pool.workers.dev, cleverly disguised to resemble legitimate Solana RPC infrastructure.
The attack vector exploits developer trust in package repositories, demonstrating how minimal code modifications can create significant security risks.
The threat actors maintained the original logging functionality while embedding their credential harvesting routines, ensuring the packages would function as expected during initial testing and integration phases.
This approach allowed the malicious code to operate undetected within development environments and continuous integration pipelines.
Technical Implementation and Exfiltration Mechanism
The malware’s core functionality revolves around a sophisticated scanning engine implemented in Rust that recursively processes project directories.
The malicious code utilizes regular expressions to identify cryptocurrency-related secrets embedded in source files, focusing specifically on patterns commonly used by blockchain developers.
const HARDCODED_ENDPOINT: &str = "https://mainnet.solana-rpc-pool.workers.dev/";
pub struct FoundItem {
pub item_type: String,
pub value: String,
pub file_path: String,
pub line_number: usize,
}The implementation employs three targeted regular expressions for pattern matching. The first targets Ethereum private keys using the pattern "0x[0-9a-fA-F]{64}" to capture 64-character hexadecimal strings prefixed with 0x, which represent standard Ethereum private key formats.
The second regex "[1-9A-HJ-NP-Za-km-z]{32,44}" identifies Base58-encoded strings typical of Solana addresses and public keys, with length constraints matching Solana’s cryptographic specifications.
The third pattern captures bracketed byte arrays in formats like [0x12, 0xAB, ...] or [1,2,...] that could contain raw key bytes or embedded seed phrases.
.webp "New Malicious Rust Crates Impersonating fast_log to Steal Solana and Ethereum Wallet Keys 4")
When the scanning function identifies matching patterns, it constructs detailed forensic records that include the exact file path, line number, matched value, and pattern type.
This precise location tracking suggests the attackers may have intended to conduct follow-up operations or provide detailed intelligence to buyers of the stolen credentials.
The malware batches multiple discoveries into JSON payloads before transmitting them via HTTP POST requests to the attacker’s command and control infrastructure, utilizing standard HTTPS encryption to blend with legitimate network traffic.
The exfiltration mechanism operates through a Rust reqwest client that sends structured data to the Cloudflare Workers-hosted endpoint.
This hosting choice provides the attackers with anonymity, scalability, and the ability to rapidly modify their collection infrastructure without maintaining dedicated servers.
The malicious crates process files at application runtime rather than during compilation, ensuring the scanning occurs within developers’ active working environments where cryptocurrency credentials are most likely to be present and accessible.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Source link
