Cybersecurity researchers have uncovered a malicious Rust package designed to target Windows, macOS, and Linux systems. This crate, named “evm-units,” was uploaded to the official Rust package repository, crates.io, in mid-April 2025 by a user identified as “ablerust.” It was downloaded more than 7,000 times over an eight-month period before being removed from the repository. The package was cleverly disguised, masquerading as a simple Ethereum Virtual Machine (EVM) unit helper tool to avoid suspicion and stealthily execute on developer machines. Further compounding the risk, another package created by the same author, “uniswap-utils,” which garnered over 7,400 downloads, listed “evm-units” as a dependency, meaning the malicious code was automatically included in its initialization process.
The package’s primary malicious functionality centers on downloading and silently executing a second-stage payload based on the victim’s operating system. According to Socket security researcher Olivia Brown, the malware first checks for the presence of the Qihoo 360 antivirus software, specifically the “qhsafetray.exe” process, which is associated with the Chinese security vendor. This check is a notable feature, suggesting a China-focused targeting indicator, as Qihoo 360 is a leading internet security company in that region. The focus on EVM and Uniswap, a decentralized cryptocurrency exchange protocol, suggests the entire supply chain incident is designed to target developers within the Web3 space, likely for crypto-theft, given Asia is a major market for retail cryptocurrency activity.
The execution logic is detailed and tailored for each operating system. On Linux, the package downloads a script, saves it as /tmp/init, and runs it in the background using the nohup command, a common technique for gaining persistent, full control. For macOS systems, it downloads a file also named init and executes it using osascript and the nohup command in the background. The Windows execution is the most complex, where the payload is saved as a PowerShell script file (“init.ps1”) in the temp directory. Before invoking the script, it checks for the “qhsafetray.exe” process; if the antivirus is not present, it creates a Visual Basic Script wrapper to run the PowerShell script with a hidden window, but if the antivirus is detected, it slightly alters the execution flow to directly invoke PowerShell, attempting to evade detection.
The overall scheme highlights the sophisticated nature of modern supply chain attacks, especially those targeting the developer ecosystem. The threat actor, “ablerust,” successfully embedded a cross-platform second-stage loader inside a function that appears entirely harmless. Furthermore, by ensuring the malicious code was pulled in as a dependency by another widely used package, “uniswap-utils,” the attacker significantly broadened the potential number of victims. This allowed the malicious code to execute automatically during the simple process of package initialization, demonstrating a high level of stealth and distribution efficiency.
Reference:
