Cybersecurity researchers have uncovered two malicious Rust crates that impersonate a widely used logging library to siphon private wallet keys from developers’ source code. The packages, named faster_log and async_println, were tied to threat actors operating under the aliases rustguruman and dumbnbased on crates.io. The packages were published on May 25, 2025 and have since accumulated thousands of downloads, according to Socket.
Security researchers describe the operation as a typosquatting-style supply chain attack. The malicious crates include functional logging code to camouflage their presence and embed routines that scan Rust source files (with the .rs extension) for Solana and Ethereum private keys and bracketed byte arrays. When a match is found, the data is exfiltrated via HTTP POST to a hardcoded command-and-control endpoint, the Socket analysis notes. For context, the legitimate fast_log library is discussed on crates.io, where users can review the real project at fast_log.
Details of the operation and the actors behind it are documented in industry notes and the Rust ecosystem’s security blog. The researchers cited the two crates as a minimal yet effective example of how deception and simple functionality can create notable supply chain risk: a believable logger with copied design and README content can bypass casual review while quietly harvesting wallet keys from developer laptops and CI environments. The analysis is summarized in the Rust ecosystem’s write-ups at Rust Lang Blog and the accompanying security report.
Following responsible disclosure, Crates.io moved to remove the two malicious crates and disable the associated publisher accounts. The platform said it preserved logs of the threat actor-operated accounts along with the crates for further analysis and defense, while noting that the malicious code executed at runtime rather than at build time. The Rust Lang Blog underscores that the malicious payload was designed to operate when projects depending on the crates were run or tested, not during the build process itself.
The attack included typosquatting and naming mimicry designed to resemble legitimate tooling. In its write-up, Socket highlights the use of a domain that appears to mimic legitimate Solana endpoints, and notes the broader risk to developers relying on third‑party crates. The exposed infrastructure and domain usage are discussed in the Socket piece, which also references a public Rust ecosystem advisory. The technical discussion is complemented by the ecosystem’s official notes on how the two crates operated and were subsequently removed.
Security researchers emphasize that this campaign demonstrates the ease with which a small, politely named piece of code can become a conduit for sensitive data. As Crates.io and the broader Rust community continue to scrutinize supply chains, experts advise developers to actively review dependencies, verify crate provenance, and apply strict supply chain hygiene as part of standard software development workflows. Related public disclosures and background on the incident are available from multiple sources, including the Socket blog and the Rust Lang Blog.
As the investigation continues, researchers reiterate the importance of ongoing vigilance in software supply chains and encourage developers to review dependency graphs and monitor for similar impersonation attempts.