Typosquatting Attack on Rust Crate: fast_log

25 September 2025

|

11:00 UTC

blog-3-img
Overview

A sophisticated typosquatting attack was discovered targeting the Rust ecosystem on September 24th. Two malicious rust crates mimicking fast_log's functionality were found published with exact cloned code, tricking developers into downloading malicious packages with similar names: faster_log and async_println.

These two rust crates were published on May 25th, 2025 - exactly 4 months before discovery. According to Rust's official blog, the malicious crates were downloaded 7,181 times (faster_log) and 1,243 times (async_println), totaling 8,424 downloads. They systematically exfiltrated Solana-style Base58 secrets, Ethereum private keys and bracketed byte arrays from project's .rs files by searching through directories and sending stolen data to an attacker-controlled C2 endpoint.

What is Typosquatting in Software Packages?

Typosquatting in software packages refers to the process of creating fake/malicious packages which mimic legitimate software packages. Threat actors create similar packages with names that resemble genuine ones and inject malware into them. When a developer makes a typo while downloading a package, they can accidentally install the malicious package.

For example: fast_log can be typosquatted as fast_logger, fastt_log, faster_log etc.

How the Attack Worked

When a developer installs either one of the two crates (faster_log or async_println) and runs ‘cargo run/cargo test’, the malware iterates over the project's directory and searches all rust source files (with .rs file extension) for the following patterns:

  • 0x + 64 hex → Ethereum private keys
  • Base58 strings 32–44 chars → Solana private keys/addresses
  • Bracketed byte arrays → raw key material, seeds, or encoded secrets

These patterns search for hardcoded secrets in rust source files, notably in dev test environments where developers may leave secrets to test application functionality. This attack is specifically designed to harvest those keys off developer laptops, CI/CD, or test machines.

Crucially, it only runs at application runtime or test runtime - not during build time. This means it executes when a developer runs/tests their application but not during compilation, making it harder to detect.

When a hit is found with the above patterns, it's immediately exfiltrated to a Cloudflare workers.dev domain: https://mainnet[.]solana-rpc-pool[.]workers[.]dev/

The attackers chose workers.dev domain due to its cheapness and ease of maintenance. A notable point is that the threat actor used "mainnet.solana-rpc-pool.workers.dev" as the C2 endpoint to disguise network calls as legitimate Solana RPC calls.

Solana RPC (Remote Procedure Call) calls are the primary way for clients (like wallets, dApps, or bots) to communicate with Solana blockchain nodes. This clever disguise makes identifying suspicious calls to the C2 endpoint blend in with normal network traffic.

Impact

An exposure window of 4 months is significant time for threat actors to exfiltrate a considerable amount of crypto private keys.

Complete wallet control & permanent theft:

The attacker can:

  1. Transfer all cryptocurrency funds to their wallets
  2. Access and drain NFTs, tokens, and other digital assets
  3. Sign transactions as if they were the legitimate owner
  4. Blockchain transactions are irreversible - once funds are moved, they're gone
  5. No bank or authority can reverse cryptocurrency transactions
  6. The legitimate owner loses access permanently
Scale of damage:
  1. Can drain multiple wallets if keys for different addresses are found
  2. Access to business wallets could mean millions in losses

Cryptocurrency private keys are extremely valuable to attackers - they provide immediate, irreversible access to potentially large sums of money with very low risk of being caught or having transactions reversed. Since the original “fast_log” crate’s functionality was preserved, a victim may not know that he/she is compromised.

Timeline
  • May 25th, 2025: Malicious packages faster_log and async_println published to crates.io
  • September 24th, 2025: Socket Threat Research team discovers the malware and alerts Rust team
  • September 24th, 2025: Both crates were removed from crates.io by Rust’s Team at 15:34 UTC
Indicators of Compromise (IoCs)
Malicious Packages:
  • faster_log (published May 25, 2025)
  • async_println (published May 25, 2025)
Exfiltration Endpoint:
  • https://mainnet[.]solana-rpc-pool[.]workers[.]dev/
How to Know If You're Affected
Check your dependencies:

Search your Cargo.toml files for:

  • faster_log
  • async_println

Run ‘cargo tree’ to check if these appear anywhere in your dependency graph (including transitive dependencies)

Check your lockfiles:
  • Search Cargo.lock for the malicious package names
  • Look for publication dates around May 25, 2025
If you used these packages
  • Assume compromise: The malicious code executed at runtime when testing or running your project
  • Rotate all cryptocurrency private keys that might have been accessible in your development environment
  • Check for hardcoded secrets in your .rs files that the malware could have found
  • Monitor your wallets for unauthorized transactions
Conclusion

As supply chain attacks are becoming increasingly common across many ecosystems, it's critical to follow best practices such as dependency verification, avoiding hardcoded secrets even in dev environments, and maintaining vigilance when adding new dependencies. The 4-month exposure window in this attack demonstrates how long malicious packages can remain undetected, making proactive security measures essential

Stay vigilant. Stay secure