""The crates include working logging code for cover and embed routines that scan source files for Solana and Ethereum private keys, then exfiltrate matches via HTTP POST to a hardcoded command and control (C2) endpoint," security researcher Kirill Boychenko said. "Following responsible disclosure, the maintainers of crates.io have taken steps to remove the Rust packages and disable the two accounts. It has also preserved logs of the threat actor-operated users along with the malicious crates for further analysis.""
""The malicious code was executed at runtime, when running or testing a project depending on them," Crates.io's Walter Pearce said. "The typosquatting attack, as detailed by Socket, involved the threat actors retaining the logging functionality of the actual library, while introducing malicious code changes during a log packing operation that recursively searched Rust files (*.rs) in a directory for Ethereum and Solana private keys and bracketed byte arrays and exfiltrate them to an Cloudflare Workers domain ("mainnet.solana-rpc-pool.workers[.]dev").""
Two malicious Rust crates impersonated the fast_log library to steal Solana and Ethereum wallet keys from source code. The crates, named faster_log and async_println, were published under aliases rustguruman and dumbnbased and amassed 8,424 downloads. The malicious packages retained legitimate logging functionality while embedding routines that recursively searched *.rs files for private keys and bracketed byte arrays and exfiltrated matches via HTTP POST to a hardcoded Cloudflare Workers domain mimicking a Solana RPC endpoint. The crates copied source, features, and documentation of the legitimate library. Crates.io removed the packages and disabled the attacker accounts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]