Cybersecurity researchers have recently uncovered a malicious Rust package that poses a significant threat to developers across multiple operating systems, including Windows, macOS, and Linux. This package, cleverly disguised as an Ethereum Virtual Machine (EVM) unit helper tool, has been identified as “evm-units” and was uploaded to crates.io in mid-April 2025 by a user operating under the pseudonym “ablerust.” Over the past eight months, it has garnered more than 7,000 downloads, while another package by the same author, “uniswap-utils,” which listed “evm-units” as a dependency, has seen over 7,400 downloads. Both packages have since been removed from the repository.
Stealthy Execution Tactics
According to Socket security researcher Olivia Brown, the malicious package employs sophisticated tactics to execute its payload stealthily. Depending on the victim’s operating system and whether Qihoo 360 antivirus is active, the package downloads a payload, writes it to the system’s temporary directory, and executes it without raising suspicion. Notably, the package masquerades as a benign function that returns the Ethereum version number, leaving victims unaware of the underlying threat.
A particularly alarming feature of this package is its ability to detect the presence of “qhsafetray.exe,” an executable linked to Qihoo 360’s antivirus software. The package invokes a seemingly innocuous function named “getevmversion(),” which decodes and reaches out to an external URL (“download.videotalks[.]xyz”) to retrieve a next-stage payload tailored to the operating system:
- Linux: Downloads a script, saves it in /tmp/init, and executes it in the background using the nohup command, granting the attacker full control.
- macOS: Downloads a file named init and runs it using osascript in the background with the nohup command.
- Windows: Downloads and saves the payload as a PowerShell script file (“init.ps1”) in the temp directory, checking for “qhsafetray.exe” before executing the script.
If the antivirus process is not detected, the package creates a Visual Basic Script wrapper that runs a hidden PowerShell script without displaying a window. In cases where the antivirus is present, it modifies its execution flow to invoke PowerShell directly.
Targeting the Web3 Community
This targeted approach towards Qihoo 360 is notable as it highlights a rare instance of explicit targeting within the Chinese cybersecurity landscape. As one of the leading internet companies in China, Qihoo 360’s focus aligns with the profile of crypto-theft operations, especially given Asia’s prominence as a major market for retail cryptocurrency activities.
The references to EVM and Uniswap, a decentralized exchange protocol built on the Ethereum blockchain, suggest that this supply chain incident is specifically aimed at developers within the Web3 ecosystem. Brown emphasized that “ablerust,” the individual behind the malicious code, embedded a cross-platform second-stage loader within a seemingly harmless function. Alarmingly, this dependency was incorporated into the widely utilized package “uniswap-utils,” allowing the malicious code to execute automatically during the initialization process.
