From d6a11554c06e083230458bbfd9573e48404f72ca Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Wed, 24 Sep 2025 13:30:39 -0400 Subject: [PATCH 1/6] Solona -> Solana --- ...ates.io-malicious-crates-fasterlog-and-asyncprintln.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md index b62a63adc..ef93b7dcb 100644 --- a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md +++ b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md @@ -10,7 +10,7 @@ team_url = "https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io" ## Summary -On September 24th, the crates.io team was notified by Kirill Boychenko from the [Socket Threat Research Team][socket] of two malicious crates which were actively searching file contents for Etherum private keys, Solona private keys, and arbitrary byte arrays for exflitration. +On September 24th, the crates.io team was notified by Kirill Boychenko from the [Socket Threat Research Team][socket] of two malicious crates which were actively searching file contents for Etherum private keys, Solana private keys, and arbitrary byte arrays for exflitration. These crates were: - `faster_log` - Published on May 25th, 2025, downloaded 7181 times @@ -23,7 +23,7 @@ The malicious code was executed at runtime, when running or testing a project de The user in question was immediately disabled, and the crates in question were deleted[^deletion] from crates.io shortly after. We have retained copies of all logs associated with the users and the malicious crate files for further analysis. -The deletion was performed at 15:34 UTC on September 24, 2025. +The deletion was performed at 15:34 UTC on September 24, 2025. ## Analysis @@ -35,11 +35,11 @@ The attacker inserted code to perform the malicious action during a log packing - Solana-style Base58 secrets - Bracketed byte arrays -The crates then proceeded to exflitrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`. +The crates then proceeded to exflitrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`. These crates had no dependenant downstream crates on crates.io. -The malicious users associated with these crates had no other crates or publishes, and the team is actively investigating associative actions in our retained[^retention] logs. +The malicious users associated with these crates had no other crates or publishes, and the team is actively investigating associative actions in our retained[^retention] logs. ## Thanks From 93d38618630891700e3bc8868d14f80f3b038ac1 Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Wed, 24 Sep 2025 13:31:47 -0400 Subject: [PATCH 2/6] Exflitrate -> exfiltrate --- .../crates.io-malicious-crates-fasterlog-and-asyncprintln.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md index ef93b7dcb..ade1d1fb5 100644 --- a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md +++ b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md @@ -10,7 +10,7 @@ team_url = "https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io" ## Summary -On September 24th, the crates.io team was notified by Kirill Boychenko from the [Socket Threat Research Team][socket] of two malicious crates which were actively searching file contents for Etherum private keys, Solana private keys, and arbitrary byte arrays for exflitration. +On September 24th, the crates.io team was notified by Kirill Boychenko from the [Socket Threat Research Team][socket] of two malicious crates which were actively searching file contents for Etherum private keys, Solana private keys, and arbitrary byte arrays for exfiltration. These crates were: - `faster_log` - Published on May 25th, 2025, downloaded 7181 times @@ -35,7 +35,7 @@ The attacker inserted code to perform the malicious action during a log packing - Solana-style Base58 secrets - Bracketed byte arrays -The crates then proceeded to exflitrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`. +The crates then proceeded to exfiltrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`. These crates had no dependenant downstream crates on crates.io. From b07fa98a56bb39ae7bbb4222fce825ee54a6d571 Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Wed, 24 Sep 2025 13:32:30 -0400 Subject: [PATCH 3/6] Add a missing 'and' --- .../crates.io-malicious-crates-fasterlog-and-asyncprintln.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md index ade1d1fb5..d6bd90e0f 100644 --- a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md +++ b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md @@ -16,7 +16,7 @@ These crates were: - `faster_log` - Published on May 25th, 2025, downloaded 7181 times - `async_println` - Published on May 25th, 2025, downloaded 1243 times -The malicious code was executed at runtime, when running or testing a project depending on them. Notably, they did not execute any malicious code at build time. Except for their malicious payload, these crates copied the source code, features, documentation of legitimate crates, using a similiar name to them (a case of typosquatting[^typosquatting]). +The malicious code was executed at runtime, when running or testing a project depending on them. Notably, they did not execute any malicious code at build time. Except for their malicious payload, these crates copied the source code, features, and documentation of legitimate crates, using a similiar name to them (a case of typosquatting[^typosquatting]). ## Actions taken From 35e395563e7fd0223b90a76efb7deaa042a92988 Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Wed, 24 Sep 2025 13:33:29 -0400 Subject: [PATCH 4/6] There were plural users involved --- .../crates.io-malicious-crates-fasterlog-and-asyncprintln.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md index d6bd90e0f..aa8c24e63 100644 --- a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md +++ b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md @@ -21,7 +21,7 @@ The malicious code was executed at runtime, when running or testing a project de ## Actions taken -The user in question was immediately disabled, and the crates in question were deleted[^deletion] from crates.io shortly after. We have retained copies of all logs associated with the users and the malicious crate files for further analysis. +The users in question were immediately disabled, and the crates in question were deleted[^deletion] from crates.io shortly after. We have retained copies of all logs associated with the users and the malicious crate files for further analysis. The deletion was performed at 15:34 UTC on September 24, 2025. From 1b182ed23c09f606871ae895aa486fc7e9cc2bc2 Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Wed, 24 Sep 2025 13:34:46 -0400 Subject: [PATCH 5/6] Iterated was missing 'over' --- .../crates.io-malicious-crates-fasterlog-and-asyncprintln.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md index aa8c24e63..1b7e7c9fa 100644 --- a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md +++ b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md @@ -27,7 +27,7 @@ The deletion was performed at 15:34 UTC on September 24, 2025. ## Analysis -Both crates were copies of a crate which provided logging functionality, and the logging implementation remained functional in the malicious crates. The original crate had a feature which performed log file packing, which iterated an associated directories files. +Both crates were copies of a crate which provided logging functionality, and the logging implementation remained functional in the malicious crates. The original crate had a feature which performed log file packing, which iterated over an associated directories files. The attacker inserted code to perform the malicious action during a log packing operation, which searched the log files being processed from that directory for: From 162a14cfc34372673014f5ef471af5da089570df Mon Sep 17 00:00:00 2001 From: "Carol (Nichols || Goulding)" Date: Wed, 24 Sep 2025 13:36:07 -0400 Subject: [PATCH 6/6] Dependenant -> dependent --- .../crates.io-malicious-crates-fasterlog-and-asyncprintln.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md index 1b7e7c9fa..f3bbfc980 100644 --- a/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md +++ b/content/crates.io-malicious-crates-fasterlog-and-asyncprintln.md @@ -37,7 +37,7 @@ The attacker inserted code to perform the malicious action during a log packing The crates then proceeded to exfiltrate the results of this search to `https://mainnet[.]solana-rpc-pool[.]workers[.]dev/`. -These crates had no dependenant downstream crates on crates.io. +These crates had no dependent downstream crates on crates.io. The malicious users associated with these crates had no other crates or publishes, and the team is actively investigating associative actions in our retained[^retention] logs.