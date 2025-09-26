BleepingComputer reports that developers' cryptocurrency wallet keys and other secrets have been pilfered by a pair of Rust packages on Crates.io masquerading as the legitimate 'fast_log' crate.

Injection of an illicit payload into the packages, which had been downloaded almost 8,500 times before their removal, allowed the scanning of Hex and Base58 strings resembling Ethereum private keys and Solana keys or addresses, respectively, as well as bracketed byte arrays with potentially concealed seeds or keys, a Socket analysis revealed.

Discovery of such information would then prompt exfiltration alongside file paths and line numbers to the hardcoded Cloudflare Worker URL address mainnet[.]solana-rpc-pool[.]workers[.]dev, said Socket researchers. Both packages' publishing accounts have already been suspended by Crates.io, which emphasized the absence of dependent downstream crates.

Such a development should prompt developers to be more discerning of Rust crate publishers' reputation, as well as thoroughly examine such packages' building instructions.