Cybersecurity researchers have discovered a malicious Rust package with malicious functionality that can target Windows, macOS, and Linux systems and covertly run on developers’ machines under the guise of an Ethereum Virtual Machine (EVM) unit helper tool.
The Rust crate named “evm-units” was uploaded to crates.io in mid-April 2025 by a user named “ablerust” and has garnered over 7,000 downloads in the past eight months. Another package “uniswap-utils” created by the same author has “evm-units” listed as a dependency. Downloaded over 7,400 times. The package was then removed from the package repository.
“Based on the victim’s operating system and whether Qihoo 360 antivirus software is running, the package downloads the payload, writes it to the system’s temporary directory, and executes it silently,” Socket security researcher Olivia Brown said in the report. “The package appears to be returning the Ethereum version number, so victims are none the wiser.”
What is notable about this package is that it is explicitly designed to check for the presence of the “qhsafetray.exe” process, an executable associated with 360 Total Security, an antivirus software developed by Chinese security vendor Qihoo 360.
Specifically, the package is designed to call a seemingly innocuous function called “get_evm_version(),” which decodes and accesses an external URL (“download.videotalks”).[.]xyz”) to fetch the next stage payload depending on the operating system you are running –
On Linux, download the script, save it to /tmp/init, and run it in the background using the nohup command. This allows the attacker to gain complete control. On macOS, download a file called init and run it in the background using osascript using the nohup command. On Windows, it downloads the payload and saves it as a PowerShell script file (‘init.ps1’) in a temporary directory to check for running processes. “qhsafetray.exe” before calling the script
If the process does not exist, a Visual Basic Script wrapper is created that runs a hidden PowerShell script with no visible window. If an antivirus process is detected, its execution flow is slightly modified by directly calling PowerShell.
“This focus on Qihoo 360 is an unusual and explicitly China-focused targeting metric, as Qihoo 360 is a major internet company in China,” Brown said. “This fits the profile of crypto theft as Asia is one of the largest global markets for crypto retail activity.”
The references to EVM and Uniswap, a decentralized cryptocurrency exchange protocol built on the Ethereum blockchain, indicate that this supply chain incident is designed to target developers in the Web3 space by disguising the packages as Ethereum-related utilities.
“The attacker who executed the malicious code, Ablerust, embedded a cross-platform second-stage loader within a seemingly innocuous function,” Brown said. “To make matters worse, the dependency was pulled into another widely used package (uniswap-utils), allowing the malicious code to be automatically executed during initialization.”
Source link
