A newly discovered malicious Rust package, “evm-units,” uploaded by the user “ablerust” to crates.io in mid-April 2025, successfully attracted over 7,000 downloads before its removal. This insidious package, which presented itself as an Ethereum Virtual Machine unit utility, was actually designed to stealthily compromise developer machines across Windows, macOS, and Linux operating systems. A second package by the same author, “uniswap-utils,” also listed “evm-units” as a dependency and garnered over 7,400 downloads, further spreading the malicious code. The immediate removal of these packages from the repository was necessary to prevent further compromise.
The core malicious functionality resides within a seemingly innocuous function, get_evm_version(). When executed, this function secretly decodes and reaches out to an external URL, download.videotalks[.]xyz, to download a next-stage payload tailored to the victim’s operating system. Socket security researcher Olivia Brown highlighted that the package appears to return a valid Ethereum version number, effectively keeping the victim unaware of the compromise. Depending on the environment, the payload is written to a system temporary directory and silently executed, giving the attacker full control.
A distinctive feature of this cross-platform malware is its explicit check for the presence of the Qihoo 360 antivirus process, qhsafetray.exe, a popular security product in the Chinese market. On Windows, the package downloads a PowerShell script (init.ps1). If the Qihoo 360 process is not detected, it uses a Visual Basic Script wrapper to run the PowerShell script with no visible window. If the antivirus is detected, the execution flow is slightly altered to directly invoke PowerShell. This specific focus on a leading Chinese internet company suggests a rare, explicit, China-focused targeting indicator, which aligns with the prevalent crypto-theft activities often seen in Asia, one of the largest global markets for retail cryptocurrency.
The attack targets were carefully chosen, evidenced by the packages’ names: EVM (Ethereum Virtual Machine) and Uniswap (a decentralized cryptocurrency exchange protocol). These references were designed to appeal directly to and deceive developers working in the Web3 space, who would be looking for Ethereum-related utility tools. The threat actor, “ablerust,” cleverly embedded a cross-platform second-stage loader inside the harmless-looking function, making it difficult to detect upon initial use.
Furthermore, the threat was compounded by the fact that the malicious code was pulled into the “uniswap-utils” package as a dependency, meaning the malicious code could execute automatically during initialization of any project using “uniswap-utils.” This supply chain incident underscores the severe risk of relying on unvetted third-party dependencies, particularly in the fast-moving cryptocurrency and decentralized application development community.
Reference:
