45
crates.io: Malicious crates faster_log and async_println | Rust Blog
(blog.rust-lang.org)
Not again...
As long as people are using Rust, it will necessarily attract this kind of action. This won't be the last attack we will see.
I think the team has handled it quite well.
Damn, expected something like this to happen or, well, be detected after the big NPM attacks.
What are the proper crates that the malicious ones were pretending to be? (I'm new to Rust)
Both were impersonating fast_log.
Thanks :)
async_println is a part of fast_log?
Both faster_log and async_println were purely malicious packages (not taken over and turned malicious).
I know faster_log is typosquatting / luring fast_log users but I’m not sure about about async_println (which was a clone of the malicious faster_log).
async_std::print is a thing so I guess trying to lure users who search crates before docs :shrug:
I mean, if you want your prints to be asynchronous you’re looking for trouble to begin with.
The previous statement is a joke.
Seriously more effort and investment should be put into code scanners if we want a bright future to modern software development
this post was submitted on 25 Sep 2025
45 points (100.0% liked)
Rust
7919 readers
6 users here now
Welcome to the Rust community! This is a place to discuss about the Rust programming language.
Wormhole
Credits
- The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)
founded 2 years ago
MODERATORS