Faster_log and async_println key-stealing Rust crates
Malware Activity
Summary
Hide ▲
Show ▼
The malicious Rust crates faster_log and async_println were published to steal Solana and Ethereum private keys from source files, creating a supply-chain risk for developers and CI systems. The packages copied the look and documentation of fast_log while hiding runtime code that searched Rust files for wallet secrets. They then exfiltrated matches by HTTP POST to mainnet.solana-rpc-pool.workers[.]dev. The crates were later removed from crates.io and the publisher accounts were disabled after disclosure.
Related Happenings
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware Activity
First: 24.04.2026 11:10
Last: 24.04.2026 11:10
Sources 1
About this happening:
**Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware ActivityAbout this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
Timeline
-
25.09.2025 10:59 1 articles · 8mo ago
Malicious Rust crates published with wallet-key theft
Exploitation ObservedThe malicious Rust crates faster_log and async_println were published on crates.io under the aliases rustguruman and dumbnbased on May 25, 2025. The packages impersonated fast_log, kept logging functionality as cover, and added runtime code that scanned Rust source files for Solana and Ethereum private keys before exfiltrating matches to mainnet.solana-rpc-pool.workers[.]dev via HTTP POST.
Show sources
- Malicious Rust Crates Steal Solana and Ethereum Keys — 8,424 Downloads Confirmed — thehackernews.com — 25.09.2025 10:59
-
25.09.2025 10:59 2 articles · 8mo ago
Researchers detail key-stealing typosquatting and crates.io takedown
Technical Analysis UpdateCybersecurity researchers disclosed that faster_log and async_println copied fast_log's source code, features, README, and repository field to disguise a typosquatting campaign against developers and CI systems. The analysis said the crates executed malicious code at runtime, recursively searched Rust files (*.rs) for Solana and Ethereum private keys and bracketed byte arrays, and crates.io removed the packages and disabled the two publisher accounts after responsible disclosure.
Show sources
- Malicious Rust Crates Steal Solana and Ethereum Keys — 8,424 Downloads Confirmed — thehackernews.com — 25.09.2025 10:59
- Malicious Rust Crates Steal Solana and Ethereum Keys — 8,424 Downloads Confirmed — thehackernews.com — 25.09.2025 10:59