Add blog post for crates.io incident on 24.09.25 #1702
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,54 @@ | ||||||
| +++ | ||||||
| path = "2025/09/24/crates.io-malicious-crates-fasterlog-and-asyncprintln" | ||||||
| title = "crates.io: Malicious crates faster_log and async_println" | ||||||
| authors = ["Walter Pearce"] | ||||||
|
|
||||||
| [extra] | ||||||
| team = "the crates.io team" | ||||||
| team_url = "https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io" | ||||||
| +++ | ||||||
|
|
||||||
| ## Summary | ||||||
|
|
||||||
| On September 24th, the crates.io team was notified by Kirill Boychenko from the [Socket Threat Research Team][socket] of two malicious crates which were actively searching file contents for Etherum private keys, Solona private keys, and arbitrary byte arrays for exflitration. | ||||||
|
|
||||||
| These crates were: | ||||||
| - `faster_log` - Published on May 25th, 2025, downloaded 7181 times | ||||||
| - `async_println` - Published on May 25th, 2025, downloaded 1243 times | ||||||
|
|
||||||
| The malicious code was executed at runtime, when running or testing a project depending on them. Notably, they did not execute any malicious code at build time. Except for their malicious payload, these crates copied the source code, features, documentation of legitimate crates, using a similiar name to them (a case of typosquatting[^typosquatting]). | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
|
|
||||||
| ## Actions taken | ||||||
|
|
||||||
| The user in question was immediately disabled, and the crates in question were deleted[^deletion] from crates.io shortly after. We have retained copies of all logs associated with the users and the malicious crate files for further analysis. | ||||||
|
|
||||||
| The deletion was performed at 15:34 UTC on September 24, 2025. | ||||||
|
|
||||||
| ## Analysis | ||||||
|
|
||||||
| Both crates were copies of a crate which provided logging functionality, and the logging implementation remained functional in the malicious crates. The original crate had a feature which performed log file packing, which iterated an associated directories files. | ||||||
|
|
||||||
| The attacker inserted code to perform the malicious action during a log packing operation, which searched the log files being processed from that directory for: | ||||||
|
|
||||||
| - Quoted Ethereum private keys (0x + 64 hex) | ||||||
| - Solana-style Base58 secrets | ||||||
| - Bracketed byte arrays | ||||||
|
|
||||||
| The crates then proceeded to exflitrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| These crates had no dependenant downstream crates on crates.io. | ||||||
|
There was a problem hiding this comment.
Suggested change
? |
||||||
|
|
||||||
| The malicious users associated with these crates had no other crates or publishes, and the team is actively investigating associative actions in our retained[^retention] logs. | ||||||
|
|
||||||
| ## Thanks | ||||||
|
|
||||||
| Our thanks to Kirill Boychenko from the [Socket Threat Research Team][socket] for reporting the crates. We also want to thank Carol Nichols from the crates.io team, Pietro Albini from the Rust Security Response WG and Walter Pearce from the [Rust Foundation][foundation] for aiding in the response. | ||||||
|
|
||||||
| [^deletion]: The crates were preserved for future analysis should there be other attacks, and to inform scanning efforts in the future. | ||||||
| [^retention]: One year of logs are retained on crates.io, but only 30 days are immediately available on our log platform. We chose not to go further back in our analysis, since IP address based analysis is limited by the use of dynamic IP addresses in the wild, and the relevant IP address being part of an allocation to a residential ISP. | ||||||
| [^typosquatting]: typosquatting is a technique used by bad actors to initiate dependency confusion attacks where a legitimate user might be tricked into using a malicious dependency instead of their intended dependency — for example, a bad actor might try to publish a crate at `proc-macro3` to catch users of the legitimate `proc-macro2` crate. | ||||||
|
|
||||||
| [foundation]: https://foundation.rust-lang.org/ | ||||||
| [init]: https://foundation.rust-lang.org/news/2022-09-13-rust-foundation-establishes-security-team/ | ||||||
| [socket]: https://www.socket.dev/ | ||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.