Two malicious Rust packages on Crates.io—faster_log and async_println—were removed after collecting roughly 8,500 downloads and quietly harvesting private keys and other developer secrets, according to threat intelligence from Socket. Published on 25 May 2025, the crates embedded runtime code to scan local environments and source trees, then exfiltrated findings to a hardcoded Cloudflare Workers endpoint.
Crates.io supply-chain attack: timeline and impact
As the central registry for Rust packages, Crates.io is a high-value target for supply-chain abuse. Socket’s analysis attributes around 7,200 downloads to faster_log and 1,200 to async_println before takedown. While both crates are now unpublished, the episode underscores the systemic risk when untrusted code is introduced via dependency managers commonly used in automated builds.
Account takedowns and package removal
Platform administrators suspended the accounts rustguruman and dumbnbased on 24 September. Crates.io indicated these publishers had no other projects and the malicious packages had no downstream dependencies, which limits blast radius. Nevertheless, anyone who built or executed projects using these crates should assume potential compromise and initiate a full environment audit.
How the malicious crates evaded detection
The operators mimicked the legitimate and popular fast_log crate by cloning its README, metadata, and baseline logging behavior. This plausibility strategy reduces suspicion during casual review and initial testing. The added payload preserved expected functionality while surreptitiously enabling secret discovery and data exfiltration, triggered at runtime in applications that included these dependencies.
Exfiltration mechanism and adversary infrastructure
The embedded code scanned the host environment and project files for cryptocurrency private keys and other sensitive tokens. Matches were bundled with context—including file paths and line numbers—to improve adversary triage. The data was sent via HTTP POST to a hardcoded endpoint on Cloudflare Workers: mainnet[.]solana-rpc-pool[.]workers[.]dev. Researchers note that this is not an official Solana RPC service, indicating attacker-controlled infrastructure designed for command-and-control and exfiltration.
Risk analysis for Rust developers and projects
Even without downstream usage, the download volume alone represents meaningful exposure. If a developer’s build or runtime incorporated faster_log or async_println, secrets may have been harvested from workstations, repositories, logs, or CI/CD artifacts. This mirrors patterns seen in prior supply-chain attacks on other ecosystems (e.g., npm and PyPI), where threat actors exploit community trust and automated dependency resolution to gain stealthy access to sensitive material and financial assets.
Immediate response and hardening recommendations
For potentially affected teams:
- Remove the malicious crates from dependencies and rebuild from a clean environment; consider reimaging high-sensitivity hosts.
- Rotate secrets: migrate digital assets to new wallets, revoke and replace tokens, keys, and credentials that may have been exposed.
- Audit and purge sensitive data from repositories, build artifacts, logs, and CI/CD caches that could retain leaked secrets.
To strengthen supply-chain security in Rust:
- Verify publisher reputation, review commit history, and confirm published crate contents match source repositories.
- Pin dependency versions and enforce lockfiles; use tooling such as cargo-audit, cargo-deny, and cargo-vet for policy enforcement and risk review.
- Restrict automatic retrieval of new packages in build pipelines; require pre-approval or allowlists for new dependencies.
- Store secrets in dedicated secret managers, minimize exposure in logs, and isolate build environments with network egress controls.
The discovery of faster_log and async_println reinforces a persistent reality: Rust’s supply chain is a target precisely because it is trusted and automated. Treat third-party crates with a “trust but verify” discipline—adopt rigorous review, continuous dependency auditing, and rapid secret rotation practices. Proactive controls materially reduce the odds of secret leakage and the financial and operational fallout that typically follows.
