Scottcjn / RustChain
Malicious Installer: SSH Key Deployment & Device Fingerprinting Operation
| FIELD | VALUE |
|---|---|
| Repository | Scottcjn/RustChain |
| Repository URL | github.com/Scottcjn/RustChain |
| Discovery Method | Automated secret scanner (ED25519 private key) → manual code review |
| Initial Finding | Hardcoded ED25519 SSH private key in setup-github-ssh.sh |
| Escalated Finding | Persistent data harvesting service distributed via curl-pipe-bash |
| Key Files Reviewed | setup-github-ssh.sh, install-miner.sh, miners/linux/rustchain_linux_miner.py |
| Rationale for Abuse Report | Repo owner is the likely threat actor — standard disclosure not appropriate |
RustChain presents itself as a proof-of-antiquity blockchain project that rewards users for mining on vintage hardware. It is distributed primarily through a curl -sSL ... | bash install command and offers token rewards (RTC) to users who run its miner software. The project operates a website at rustchain.org and claims a token listed on Solana as wRTC.
Investigation initiated when an automated secret scanner flagged a hardcoded ED25519 SSH private key in a setup script. Manual review revealed that unlike a typical accidental credential commit, this key was the intended payload of the script — designed to be written into the SSH directory of anyone who runs the installer. Further analysis of the miner code revealed extensive undisclosed hardware fingerprinting and data collection transmitted to a server under the repository owner's control.
Because the repository owner is the likely threat actor rather than a victim of a credential leak, this was escalated directly to GitHub abuse rather than filed as a standard responsible disclosure issue.
The secret scanner flagged an ED25519 private key header in setup-github-ssh.sh. The key was associated with the email address [email protected], which appeared in both the private key block and the embedded public key comment.
A typical accidental private key commit involves a developer's own key being committed unintentionally. This case was different: the key was the entire purpose of the script. setup-github-ssh.sh is a bash script designed to be run by users, and its function is to write the private key into the user's ~/.ssh/id_ed25519 file and add it to the SSH agent. This is not a credential that was accidentally included — it is a credential that the script intentionally deploys to other people's machines.
The install script, Linux miner, macOS miner, fingerprint checks module, and node server code were all retrieved and reviewed. The full scope of data collection and the persistent service installation were confirmed across multiple files.
Before escalating, the full repository gitingest was searched for authorized_keys to determine whether the SSH key installation constituted a confirmed backdoor. No references were found. The SSH key is written to the user's ~/.ssh/ directory but the code does not add the corresponding public key to authorized_keys on the target machine. A traditional SSH backdoor was therefore not confirmed, though the deployment remains suspicious and unexplained.
The script writes a hardcoded ED25519 private key belonging to the repository owner into the user's SSH directory, sets appropriate permissions (chmod 600), adds it to the SSH agent via ssh-add, and tests the GitHub connection. Anyone who runs this script will have the repository owner's private key loaded into their SSH agent.
No legitimate use case was identified for distributing a private key to users. If the intent were to give users SSH access to a server, the correct approach is to distribute a public key, not a private one.
The installer creates and enables a system service that auto-starts on boot and restarts automatically if stopped. On macOS, a launchd plist with RunAtLoad and KeepAlive both set to true. The service is installed without prominent disclosure to the user before the installation proceeds.
The miner collects and transmits the following data to the operator-controlled server at rustchain.org on every launch and every 10 minutes thereafter. No privacy policy exists for this data collection.
Server-side code confirms permanent storage in SQLite with dedicated tables for MAC address hashes (miner_macs), hardware binding records (hardware_bindings), and fingerprint history (miner_fingerprint_history).
The module performs extensive detection of virtual machines and cloud environments including AWS EC2, Google Cloud Platform, Microsoft Azure, DigitalOcean, Linode, Vultr, Hetzner, Oracle Cloud, OVH, and Alibaba Cloud. Detection methods include DMI path inspection, environment variable checks, /proc/cpuinfo hypervisor flag detection, systemd-detect-virt, and probing the cloud metadata endpoint at 169.254.169.254.
The stated purpose is to prevent emulated hardware from receiving mining rewards. However the combination of detailed VM detection, hardware fingerprinting, MAC address collection, and persistent service installation goes significantly beyond what is needed for a proof-of-antiquity consensus mechanism.
- SSH private key belonging to the repository owner is written to user machines via a script designed for that purpose
- Persistent auto-starting service installed via curl-pipe-bash without adequate prior disclosure
- MAC addresses, hostnames, hardware serials, and detailed timing fingerprints collected and stored permanently on an operator-controlled server
- No privacy policy exists for collected data
- Token bounty system creates financial incentives for users to run the installer
- authorized_keys manipulation not found — traditional SSH backdoor cannot be confirmed from available code
- Reverse shell or remote command execution not found in miner code
- SSH key deployment purpose remains unexplained but unconfirmed as an active exploitation mechanism
The combination of a fake cryptocurrency project, curl-pipe-bash distribution, unexplained SSH key deployment to user machines, and extensive undisclosed hardware fingerprinting is consistent with a device fingerprinting operation or the groundwork for future credential harvesting. Whether or not the SSH key is currently being used for access, the pattern of behaviour warrants investigation by GitHub's trust and safety team.
- Reviewed install-miner.sh, rustchain_linux_miner.py, rustchain_mac_miner_v2.4.py, fingerprint_checks.py, and node/rustchain_v2_integrated_v2.2.1_rip200.py
- Searched full repository gitingest for authorized_keys — not found
- Searched for reverse shell patterns — not found
- Did not run any code, did not install the miner, did not test the SSH key
- Reported to GitHub abuse on 2026-03-18 with full technical documentation
- Did not contact the repository owner directly given the nature of the findings