Two malicious packages, totaling about 8,500 downloads, have been discovered in the official Rust repository. The malware scanned developers’ systems to steal private cryptocurrency keys and other secrets.
Rust packages (also known as crates) are distributed through Crates.io — the equivalent of npm for JavaScript, PyPI for Python, and RubyGems for Ruby.
Specialists at Socket report that the malicious crates faster_log and async_println were published on the platform on May 25, 2025, and were downloaded 7,200 and 1,200 times, respectively.
At present, both packages have already been removed from the platform, and on September 24 the accounts that published them — rustguruman and dumbnbased — were suspended.
Researchers report that the crates masqueraded as the legitimate fast_log package by copying its README file, repository metadata, and retaining logging functionality to reduce potential suspicion from victims. Meanwhile, the attackers leveraged the log file packaging functionality to search for sensitive information.
The payload hidden in the malicious packages ran during program execution and scanned the victim’s environment and the project’s source files for three types of data:
- hex strings resembling Ethereum private keys;
- base58 strings resembling Solana keys/addresses;
- byte arrays in brackets that may conceal keys and seed phrases.
If matches were found, the malware packaged them together with the file path and line number, then sent the data to a hardcoded Cloudflare Worker URL (mainnet[.]solana-rpc-pool[.]workers[.]dev). This endpoint was active and accepting POST requests during the investigation; however, it is noted that it is not an official Solana RPC endpoint.
Crates.io representatives reported that the malicious packages had no downstream crates depending on them, and the blocked users had not uploaded any other projects. However, developers who used either of the crates should perform a system cleanup and move their digital assets to new wallets to prevent theft.
Researchers remind developers to check the publisher’s reputation before installing a Rust crate. They also recommend double-checking the build instructions to ensure they don’t automatically download malicious packages.