Listen to this Post
Introduction
In the fast-growing world of blockchain and cryptocurrency, every line of code can mean the difference between security and disaster. Recently, cybersecurity researchers uncovered a dangerous supply chain attack targeting developers through Rust crates, one of the most popular ecosystems for building safe and fast applications. These malicious packages were designed to look like legitimate libraries but carried hidden code that secretly scanned projects for private crypto keys and funneled them to hacker-controlled servers. This discovery shines a light on how clever cybercriminals are becoming — and why developers must stay vigilant.
the Discovery
Cybersecurity experts revealed that two Rust crates — faster_log and async_println — were published on May 25, 2025, by users under the names rustguruman and dumbnbased. Together, they were downloaded 8,424 times before being taken down.
The attack impersonated a trusted crate named fast_log, tricking developers with almost identical features, code, and documentation. While the crates functioned as normal logging libraries, they secretly contained malicious routines that scanned source code for Ethereum and Solana wallet private keys. Once detected, the keys were exfiltrated via HTTP POST requests to a command-and-control (C2) endpoint disguised as a Solana-related domain:
`mainnet.solana-rpc-pool.workers[.]dev`.
The threat was especially deceptive because:
The malicious code executed only at runtime, not at build time, making detection harder.
The attackers copied README files and even linked to the real GitHub repository to appear authentic.
The fake crates cleverly mimicked Solana’s Mainnet Beta RPC endpoint, adding more credibility.
Following a responsible disclosure, crates.io maintainers removed the malicious packages, disabled the accounts involved, and preserved logs for forensic investigation. Researchers highlighted that, although the crates had no dependent downstream crates, their existence shows how a simple typosquatting attack could lead to major breaches if unnoticed.
According to security researcher Kirill Boychenko, the campaign demonstrated how “minimal code and simple deception” can bypass casual reviews and potentially compromise developer environments, CI pipelines, and even production systems.
This incident underscores a growing concern: attackers don’t always need advanced exploits. Sometimes, a familiar name and a small hidden script are enough to infiltrate the software supply chain.
What Undercode Say: 🔍
The Bigger Picture of Software Supply Chain Attacks
Supply chain attacks are becoming one of the most dangerous trends in cybersecurity. By inserting malicious code into popular libraries or tools, hackers don’t need to target individuals directly — they let developers unknowingly distribute malware themselves. This incident with Rust crates mirrors earlier attacks in npm, PyPI, and even Docker Hub, showing that no open-source ecosystem is immune.
Why Crypto Wallets Are Prime Targets
Private keys are the lifeblood of cryptocurrency ownership. Whoever holds the keys controls the funds. That’s why Solana and Ethereum wallets remain constant targets. Unlike passwords, lost private keys cannot be reset or recovered. Once stolen, assets are gone forever. Hackers know this — making crypto developers a goldmine for quick financial theft.
The Clever Use of Typosquatting
The malicious actors used a technique called typosquatting, where attackers publish packages with names nearly identical to popular ones. Developers rushing through dependencies may mistakenly install the wrong library, unknowingly opening the door to attackers. In this case, fast_log became faster_log, a subtle difference that could easily be overlooked.
The Runtime Trap
One of the most deceptive aspects of the crates was that they executed malicious payloads only when running or testing projects, not during builds. This means static checks and initial installation reviews might not catch the threat. Attackers used the element of timing to evade quick security scans.
The Role of Cloudflare Workers in Disguise
The stolen keys were sent to a Cloudflare Workers domain, a clever way to avoid raising suspicion. By mimicking Solana’s official endpoint, the attackers increased their chances of hiding in plain sight. This demonstrates how social engineering applies not just to people but also to how code is disguised.
Lessons for Developers
Always verify package names and repositories.
Use automated tools like Socket, Snyk, or GitHub Dependabot to detect anomalies.
Regularly audit code dependencies, especially when working on sensitive applications like wallets or financial platforms.
Industry Implications
This attack might seem small in scale — only two crates, no dependent projects — but the psychological impact is far greater. Developers are reminded that even ecosystems like Rust, known for safety, are not invulnerable. If left unchecked, similar attacks could affect larger supply chains, powering millions of apps worldwide.
The Human Element in Cybersecurity
At its core, this attack exploited trust. Open-source thrives on community trust, collaboration, and reusability. But when attackers infiltrate this ecosystem, they corrupt that trust. It raises the question: should open-source platforms introduce stricter verification, signing, or vetting processes to prevent such incidents?
Fact Checker Results ✅❌
✅ The crates were real and published on crates.io.
✅ They successfully stole Solana and Ethereum keys via malicious code.
❌ They did not spread widely — no downstream crates were affected.
Prediction 🔮
Cybercriminals will continue targeting blockchain developers through supply chain attacks, with even more subtle typosquatting attempts. Expect to see AI-assisted malicious package generation in the near future, making attacks harder to spot. On the defensive side, package registries will likely adopt stricter identity verification, code signing, and automated scanning to protect the open-source ecosystem.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
