Fixxx
Moderator
- Joined
- Aug 21, 2024
- Messages
- 748
- Reaction score
- 3,645
- Points
- 93
Two malicious packages with nearly 8,500 downloads in Rust's official crate repository scanned developers' systems to steal cryptocurrency private keys and other secrets. Rust crates are distributed through a central registry at Crates.io, the equivalent of npm for JavaScript, PyPI for Python, and Ruby Gems for Ruby. The malicious crates, named faster_log and async_println, were published on the platform on May 25 and were downloaded 7,200 and 1,200 times, respectively. Researchers at code security company Socket discovered the malicious crates and reported them to Crate.io. The platform removed both and suspended the publishing accounts, 'rustguruman' and 'dumbnbased', on September 24th.
Socket explains in a report that the two crates impersonated the legitimate ‘fast_log’ crate, copying its README file, repository metadata, and retaining the real project’s logging functionality to reduce suspicion.
The attackers exploited the log file packing functionality to scan for sensitive information. A payload hidden in the malicious crates executed at runtime to scan the victim’s environment and project source files for the following three item types:
Developers who have downloaded either crate need to perform a system cleanup and move their digital assets to new wallets to prevent theft. Before downloading a Rust crate, developers should verify the publisher's reputation. Another defense is to double-check building instructions to make sure they don't automatically fetch malicious packages.
Targeting crypto secrets
Socket explains in a report that the two crates impersonated the legitimate ‘fast_log’ crate, copying its README file, repository metadata, and retaining the real project’s logging functionality to reduce suspicion.
*cloning the legitimate project to reduce suspicion.
The attackers exploited the log file packing functionality to scan for sensitive information. A payload hidden in the malicious crates executed at runtime to scan the victim’s environment and project source files for the following three item types:
- Hex strings that look like Ethereum private keys
- Base58 strings that resemble Solana keys/addresses
- bracketed byte arrays that might hide keys or seeds
*the malicious crates appearing in search results for the legitimate project.
Developers who have downloaded either crate need to perform a system cleanup and move their digital assets to new wallets to prevent theft. Before downloading a Rust crate, developers should verify the publisher's reputation. Another defense is to double-check building instructions to make sure they don't automatically fetch malicious packages.