Malicious Crate logprinter Removed From crates.io Over Supply Chain Threat

The RustSec advisory database logged RUSTSEC-2026-0084 on April 9, formally recording the removal of logprinter from crates.io after the crate was identified as containing malicious code. It was the second logger-named crate pulled from the registry in five days: logtrace had been taken down on April 5 under RUSTSEC-2026-0081, with Socket detecting and reporting that crate to the crates.io team. Logtrace accumulated 30 downloads across 2 versions before it was caught.

The specific payload details for logprinter remain confined to the advisory, but the pattern across recent Rust supply-chain incidents is consistent. Crates in this category typically present as routine utilities, logging libraries in this case, to reduce scrutiny while embedding network code that fetches and executes platform-specific malware or reads CI secrets. The danger is compounded by Cargo's build script mechanism, which can execute arbitrary code at compile time before a developer ever calls a single function from the crate. CI runners amplify the risk further: they commonly hold cloud provider tokens, repository secrets, and deployment credentials.

The timing of these removals also reflects a quieter notification landscape than the ecosystem had a year ago. In February 2026, Adam Harvey of the crates.io team announced that the team would stop publishing a blog post for every malicious crate removal. Unless a crate showed evidence of real-world usage or active exploitation, the advisory would go to RustSec only. Logprinter received no dedicated blog post, only a database entry. That shift makes subscribing to the RustSec advisory RSS feed more important, not less: it is now the primary early-warning channel for these takedowns.

If logprinter appeared anywhere in your dependency tree, remove it, rotate any secrets that were present on the affected machine or runner, and scan build logs and CI artifacts for anomalous outbound network connections. Because the crate has been yanked from the registry, reconstructing its payload behavior may require telemetry from tools like Socket, which has become a recurring detection source for exactly these incidents.

The broader context is a sustained campaign across multiple ecosystems. The March 30 advisory window alone included tree-sitter-pkl and sophosfirewall-python, both removed for malicious code. Earlier in 2026, polymarket-clients-sdk was flagged for credential exfiltration by impersonating a legitimate package. For Web3, CI-heavy, and AI agent stacks in particular, the supply chain remains an active attack surface regardless of what Rust guarantees at the language level.

Cargo audit integrated into CI, exact version pinning in Cargo.lock, and restricted publish access on organization-owned crates are the standard controls. What two logger-adjacent removals inside one week actually tells you is that someone is probing the ecosystem methodically, and passive dependency hygiene is not keeping pace.